funsec mailing list archives
RE: Serious Flaw on OS X in Apple Safari
From: "Larry Seltzer" <larry () larryseltzer com>
Date: Mon, 20 Feb 2006 21:00:34 -0500
So is the whole shebang thing a red herring? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazine larryseltzer () ziffdavis com -----Original Message----- From: funsec-bounces () linuxbox org [mailto:funsec-bounces () linuxbox org] On Behalf Of Anthony Rodgers Sent: Monday, February 20, 2006 8:33 PM To: FunSec [List] Subject: Re: [funsec] Serious Flaw on OS X in Apple Safari This looks like it might be quite serious, unlike previous ones. I have tested the POC, and can tell you that: 1. It does not need Safari to work 2. It does not need auto-open to work That information is a red herring. The vulnerability is an OS vulnerability that is described in paragraph 4 of the article: "If a script is given an extension such as "jpg" or "mov" and stored within a ZIP archive, Mac OS X will add a binary metadata file to the archive which determines its association. This metafile instructs the operating system on another Mac to open that file with the Terminal application -- regardless of its extension or the symbol displayed in the Finder. The Terminal will redirect scripts without an interpreter line directly to bash, the standard shell in OS X." All it needs is a zip file with meta-data in it that makes it behave like a shell script, and a file name extension that makes it look like a jpg (or any other type of 'friendly' file. This zip file, or its resultant contents, can then be downloaded from a web site (with or without Safari, with or without auto-open), emailed, or whatever. Regards, -- Anthony On 20-Feb-06, at 5:09 PM, Fergie wrote:
Via The SAN ISC Daily Handler's Diary. [snip] We received notice from Juergen Schmidt, editor-in-chief at heise.de, that a serious vulnerability has been found in Apple Safari on OS X. "In its default configuration shell commands are execute[d] simply by visting a web site - no user interaction required." This could be really bad. Attackers can run shell scripts on your computer remotely just by visiting a malicious website. Full text of the article: http://www.heise.de/english/newsticker/ news/69862 Proof of concept from the original discoverer (Michael Lehn): http://www.mathematik.uni-ulm.de/~lehn/mac.html [snip] http://isc.sans.org/diary.php?storyid=1138 - ferg -- "Fergie", a.k.a. Paul Ferguson Engineering Architecture for the Internet fergdawg () netzero net or fergdawg () sbcglobal net ferg's tech blog: http://fergdawg.blogspot.com/ _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Serious Flaw on OS X in Apple Safari Fergie (Feb 20)
- Re: Serious Flaw on OS X in Apple Safari Anthony Rodgers (Feb 20)
- RE: Serious Flaw on OS X in Apple Safari Larry Seltzer (Feb 20)
- Re: Serious Flaw on OS X in Apple Safari Anthony Rodgers (Feb 20)
- RE: Serious Flaw on OS X in Apple Safari Larry Seltzer (Feb 20)
- <Possible follow-ups>
- Re: Serious Flaw on OS X in Apple Safari Fergie (Feb 20)
- RE: Serious Flaw on OS X in Apple Safari Fergie (Feb 20)
- Re: Serious Flaw on OS X in Apple Safari Anthony Rodgers (Feb 20)