funsec mailing list archives
Re: Serious Flaw on OS X in Apple Safari
From: Anthony Rodgers <Anthony_Rodgers () dnv org>
Date: Mon, 20 Feb 2006 19:22:45 -0800
Nope - just the Safari bit. On 20-Feb-06, at 6:00 PM, Larry Seltzer wrote:
So is the whole shebang thing a red herring? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazine larryseltzer () ziffdavis com -----Original Message-----From: funsec-bounces () linuxbox org [mailto:funsec- bounces () linuxbox org] OnBehalf Of Anthony Rodgers Sent: Monday, February 20, 2006 8:33 PM To: FunSec [List] Subject: Re: [funsec] Serious Flaw on OS X in Apple SafariThis looks like it might be quite serious, unlike previous ones. I havetested the POC, and can tell you that: 1. It does not need Safari to work 2. It does not need auto-open to workThat information is a red herring. The vulnerability is an OS vulnerabilitythat is described in paragraph 4 of the article:"If a script is given an extension such as "jpg" or "mov" and stored within a ZIP archive, Mac OS X will add a binary metadata file to the archive which determines its association. This metafile instructs the operating system on another Mac to open that file with the Terminal application -- regardless ofits extension or the symbol displayed in the Finder. The Terminal willredirect scripts without an interpreter line directly to bash, the standardshell in OS X."All it needs is a zip file with meta-data in it that makes it behave like a shell script, and a file name extension that makes it look like a jpg (or any other type of 'friendly' file. This zip file, or its resultant contents, can then be downloaded from a web site (with or without Safari, with orwithout auto-open), emailed, or whatever. Regards, -- Anthony On 20-Feb-06, at 5:09 PM, Fergie wrote: > Via The SAN ISC Daily Handler's Diary. > > [snip] >> We received notice from Juergen Schmidt, editor-in-chief at heise.de,> that a serious vulnerability has been found in Apple Safari on OS X.> "In its default configuration shell commands are execute[d] simply by> visting a web site - no user interaction required." This could be> really bad. Attackers can run shell scripts on your computer remotely> just by visiting a malicious website. > > Full text of the article: http://www.heise.de/english/newsticker/ > news/69862 > > Proof of concept from the original discoverer (Michael Lehn): > http://www.mathematik.uni-ulm.de/~lehn/mac.html > > [snip] > > http://isc.sans.org/diary.php?storyid=1138 > > - ferg > > > -- > "Fergie", a.k.a. Paul Ferguson > Engineering Architecture for the Internet fergdawg () netzero net or > fergdawg () sbcglobal net ferg's tech blog: > http://fergdawg.blogspot.com/ > > > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. > _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Serious Flaw on OS X in Apple Safari Fergie (Feb 20)
- Re: Serious Flaw on OS X in Apple Safari Anthony Rodgers (Feb 20)
- RE: Serious Flaw on OS X in Apple Safari Larry Seltzer (Feb 20)
- Re: Serious Flaw on OS X in Apple Safari Anthony Rodgers (Feb 20)
- RE: Serious Flaw on OS X in Apple Safari Larry Seltzer (Feb 20)
- <Possible follow-ups>
- Re: Serious Flaw on OS X in Apple Safari Fergie (Feb 20)
- RE: Serious Flaw on OS X in Apple Safari Fergie (Feb 20)
- Re: Serious Flaw on OS X in Apple Safari Anthony Rodgers (Feb 20)