Home page logo

funsec logo funsec mailing list archives

RE: Serious Flaw on OS X in Apple Safari
From: "Fergie" <fergdawg () netzero net>
Date: Tue, 21 Feb 2006 02:33:03 GMT

No, it doesn't sound like it's a red herring at all.

In fact, it sounds more serious than the ISC SANS pointer

- ferg

-- "Larry Seltzer" <larry () larryseltzer com> wrote:

So is the whole shebang thing a red herring?

Larry Seltzer
eWEEK.com Security Center Editor
Contributing Editor, PC Magazine
larryseltzer () ziffdavis com 

-----Original Message-----
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of Anthony Rodgers
Sent: Monday, February 20, 2006 8:33 PM
To: FunSec [List]
Subject: Re: [funsec] Serious Flaw on OS X in Apple Safari

This looks like it might be quite serious, unlike previous ones. I have
tested the POC, and can tell you that:

1. It does not need Safari to work
2. It does not need auto-open to work

That information is a red herring. The vulnerability is an OS vulnerability
that is described in paragraph 4 of the article:

"If a script is given an extension such as "jpg" or "mov" and stored within
a ZIP archive, Mac OS X will add a binary metadata file to the archive which
determines its association. This metafile instructs the operating system on
another Mac to open that file with the Terminal application -- regardless of
its extension or the symbol displayed in the Finder. The Terminal will
redirect scripts without an interpreter line directly to bash, the standard
shell in OS X."

All it needs is a zip file with meta-data in it that makes it behave like a
shell script, and a file name extension that makes it look like a jpg (or
any other type of 'friendly' file. This zip file, or its resultant contents,
can then be downloaded from a web site (with or without Safari, with or
without auto-open), emailed, or whatever.


On 20-Feb-06, at 5:09 PM, Fergie wrote:

Via The SAN ISC Daily Handler's Diary.


We received notice from Juergen Schmidt, editor-in-chief at heise.de, 
that a serious vulnerability has been found in Apple Safari on OS X. 
"In its default configuration shell commands are execute[d] simply by 
visting a web site - no user interaction required." This could be 
really bad. Attackers can run shell scripts on your computer remotely 
just by visiting a malicious website.

Full text of the article: http://www.heise.de/english/newsticker/

Proof of concept from the original discoverer (Michael Lehn):  



- ferg

"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet  fergdawg () netzero net or 
fergdawg () sbcglobal net  ferg's tech blog: 

Fun and Misc security discussion for OT posts.
Note: funsec is a public and open mailing list.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]