exploit the possibilities

safari12.txt

safari12.txt
Posted May 18, 2004
Authored by kang

Safari versions 1.2 and below suffer from a vulnerability that can lead to remote arbitrary code execution via the runscript aspect of the HTML rendering functionality.

tags | advisory, remote, arbitrary, code execution
MD5 | fb01452d5c8420ed352357b019941075

safari12.txt

Change Mirror Download
Adv: safari_0x04

Release Date: 10/05/04
Affected Products: Safari =< 1.2
Fixed in: Not fixed.
Impact: Remote code execution.
Severity: High.
Vendor: Notified (23/02/04)
Author: fundisom.com


Apple uses a special function to execute scripts and applications from
his Help system. Unfortunatly, this Help system uses HTML format and
is callable from within browsers such as Safari (all other browsers
tested were vulnerables too).

The problem lies in the fact that Apple added a special function into
his own HTML renderer called "runscript". A link to help:runscript can
be triggered from the browsers and thus launching the desired
application/script.
The desired application/script can be downloaded to a known location
using Safari Safe Open File (default setting) by downloading a Disk
Image (.dmg) which will always point to /Volume/DiskImageName/ScriptName.
It is also possible to guess the user login when Safe Open File is
disabled, and might be possible to include inline Apple Script
commands without calling any external application.

This advisory was released since the bug has been made public
recently. Apple is working on a fix which should be issued shortly.

To protect yourself:
- disable auto opening of safe files in Safari (bad protection,
doesn't prevents anything really)
- change the help helper in InternetConfig (better protection)

Author link: http://fundisom.com/owned/warning
Proof of concept:
http://www.insecure.ws/article.php?story=2004051612423136

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close