exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

MACOSX.SSHURI.txt

MACOSX.SSHURI.txt
Posted May 25, 2004
Authored by kang | Site insecure.ws

Mac OS X versions 10.3.3 and greater along with various browsers suffer from yet another URI silent code execution flaw using the SSH handler.

tags | advisory, code execution
systems | apple, osx
SHA-256 | c173dc60dc3dcd0f29d58c95ff45eb288a767853fda654b6a75c8906df2a304a

MACOSX.SSHURI.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Adv: safari_0x06
Release Date: 24/05/2004
Affected Products: MacOSX >= 10.3.3, Various Browsers, possibly others
platforms/browsers
Fixed in: Not fixed.
Impact: Remote code execution.
Severity: High.
Vendors: Notified (20-23/02/04)
Author: kang@insecure.ws


After the HelpViewer problem, and the self-URI registration in MacOSX,
not to mention the telnet://-nFile overwrite on many platforms, here is
yet another one using the SSH handler.

It has not been determined if this vulnerability can be successfully
exploited on linux, but it seems that konqueror is protected, while
Firefox/etc are not. I wish I could test it but it seems that there is a
bug in Gnome 2.6.1 and theses uri handlers which prevented the
successfull exploitation. Else than that, the Gnome browsers would be
all vulnerable.

On MacOSX, it is still possible to use paths (like /path/to/xx and
:path:to:xxx) in URI links, despite the recent fix which filtered them
out, using URL Encoding.

This weakness allows a new URI + SSH exploit, using the ProxyCommand
option of ssh clients. This option is used to execute a proxy
application which will be launched between the ssh client and the
actually connection. Unfortunately, this option can also be used to
execute arbitrary commands.

Safari,Camino,Firefox,Mozilla have been reported vulnerable on OSX.

My policy is usually to keep such things private, to research them to
their full extend, then to start informing the vendors, and publishing
the problem to the public after a fix has been issued or a few monthes
without answers.
However, as you know, two or three vulnerabilities are already
discussing of the same kind of problems (which were reported and
disclosed before my owns researches anyway), and one is not yet fixed in
MacOSX. (see http://www.insecure.ws/article.php?story=20040522041815126 )

Therefore I think it is in the best interest that people know about it
to protect themselves.

A simple fix is available at http://www.unsanity.com/haxies/pa/ for
MacOSX and is highly recommanded.

No fixes have been available for Gnome based applications but it is not
vulnerable until the URI bugs have been fixed ;)

The full advisory ca be found here:
http://www.insecure.ws/article.php?story=200405222251133

There is an online proof of concept for MacOSX on the page advisory.


- --
Please do not copy this advisory without authorisation.
Authorisation is given to the security focus staff.
Please note, my PGP key has changed.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFAshbqB9TTXBpCLwwRAu5gAKCWHc3a/gw754lEwbZ84I2WgoTXUACdH8B1
ErKkZtGkZ2jA2yoTcz91MUA=
=1UI1
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close