Full Disclosure mailing list archives
Exploit different
From: "Rosalina Hamar" <rosalina () linuxmail org>
Date: Sat, 22 May 2004 19:42:36 +0800
Apple released a fix for the Help Viewer Problem described by lixlpixel. But during different tests some really serious problems turned out. 1) MacOS X LaunchService Vunerability Mount a FTP/DAV/SMB/AFS-Volume with an application in it which registers a new protocol handler i.e. test:, and if that handler is called, the script will be executed. Example from Info.plist: [...] <key>CFBundleURLTypes</key> <array> <dict> <key>CFBundleURLName</key> <string>Test</string> <key>CFBundleURLSchemes</key> <array> <string>test</string> </array> </dict> </array> [...] Demo: http://rosa.base-industries.net/ More Infos: -http://www.unsanity.com/haxies/pa/whitepaper - http://forums.macnn.com/showthread.php?s=&threadid=213043&perpage=50&pagenumber=1 2) Telnet URI Handler File Creation/Truncation Vulnerability It is possible to wipe/zeroing a file using a telnet URI. Example: telnet://-nlibrary%2Fpreferences%2Fcom.apple.finder.plist This effects all browsers which are passing telnet URIs back the LaunchServices (thanks to fukami to make this clear to me). More Infos: http://daringfireball.net/2004/05/telnet_protocol Jason Harris from Unsanity provided a haxie called Paranoid Android which pops up when a weird protocol handler is called. PA can be found here: http://www.unsanity.com/haxies/pa/ "Even the exploits are user friendly" (mcgroarty on slashdot) Rosa -- ______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Exploit different Rosalina Hamar (May 22)
- Re: Exploit different Christian Horchert (May 22)