mailing list archives
RE: Serious Flaw on OS X in Apple Safari
From: "Fergie" <fergdawg () netzero net>
Date: Tue, 21 Feb 2006 02:33:03 GMT
No, it doesn't sound like it's a red herring at all.
In fact, it sounds more serious than the ISC SANS pointer
-- "Larry Seltzer" <larry () larryseltzer com> wrote:
So is the whole shebang thing a red herring?
eWEEK.com Security Center Editor
Contributing Editor, PC Magazine
larryseltzer () ziffdavis com
From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On
Behalf Of Anthony Rodgers
Sent: Monday, February 20, 2006 8:33 PM
To: FunSec [List]
Subject: Re: [funsec] Serious Flaw on OS X in Apple Safari
This looks like it might be quite serious, unlike previous ones. I have
tested the POC, and can tell you that:
1. It does not need Safari to work
2. It does not need auto-open to work
That information is a red herring. The vulnerability is an OS vulnerability
that is described in paragraph 4 of the article:
"If a script is given an extension such as "jpg" or "mov" and stored within
a ZIP archive, Mac OS X will add a binary metadata file to the archive which
determines its association. This metafile instructs the operating system on
another Mac to open that file with the Terminal application -- regardless of
its extension or the symbol displayed in the Finder. The Terminal will
redirect scripts without an interpreter line directly to bash, the standard
shell in OS X."
All it needs is a zip file with meta-data in it that makes it behave like a
shell script, and a file name extension that makes it look like a jpg (or
any other type of 'friendly' file. This zip file, or its resultant contents,
can then be downloaded from a web site (with or without Safari, with or
without auto-open), emailed, or whatever.
On 20-Feb-06, at 5:09 PM, Fergie wrote:
Via The SAN ISC Daily Handler's Diary.
We received notice from Juergen Schmidt, editor-in-chief at heise.de,
that a serious vulnerability has been found in Apple Safari on OS X.
"In its default configuration shell commands are execute[d] simply by
visting a web site - no user interaction required." This could be
really bad. Attackers can run shell scripts on your computer remotely
just by visiting a malicious website.
Full text of the article: http://www.heise.de/english/newsticker/
Proof of concept from the original discoverer (Michael Lehn):
"Fergie", a.k.a. Paul Ferguson
Engineering Architecture for the Internet fergdawg () netzero net or
fergdawg () sbcglobal net ferg's tech blog:
Fun and Misc security discussion for OT posts.
Note: funsec is a public and open mailing list.