So, while having help pop open is certainly noticable, and I think I broke parts of the script by quitting help as it ran. (Eg, it didn't create ~/owned.txt, but did open a terminal, which means it could have run other things in there.) http://www.monkeyfood.com/software/MoreInternet/ allows you to change the help, but I'm not sure if this will break other help functions. The actual exploit line is: <meta HTTP-EQUIV="refresh" content="10; URL=help:runscript=MacHelp.help/Contents/Resources/English.lproj/shrd/OpnApp.scptstring='Volumes:0x04_script:0x04_script.term'"> Adam On Mon, May 17, 2004 at 04:05:11PM +0200, kang wrote: | Adv: safari_0x04 | | Release Date: 10/05/04 | Affected Products: Safari =< 1.2 | Fixed in: Not fixed. | Impact: Remote code execution. | Severity: High. | Vendor: Notified (23/02/04) | Author: fundisom.com | | | Apple uses a special function to execute scripts and applications from | his Help system. Unfortunatly, this Help system uses HTML format and | is callable from within browsers such as Safari (all other browsers | tested were vulnerables too). | | The problem lies in the fact that Apple added a special function into | his own HTML renderer called "runscript". A link to help:runscript can | be triggered from the browsers and thus launching the desired | application/script. | The desired application/script can be downloaded to a known location | using Safari Safe Open File (default setting) by downloading a Disk | Image (.dmg) which will always point to /Volume/DiskImageName/ScriptName. | It is also possible to guess the user login when Safe Open File is | disabled, and might be possible to include inline Apple Script | commands without calling any external application. | | This advisory was released since the bug has been made public | recently. Apple is working on a fix which should be issued shortly. | | To protect yourself: | - disable auto opening of safe files in Safari (bad protection, | doesn't prevents anything really) | - change the help helper in InternetConfig (better protection) | | Author link: http://fundisom.com/owned/warning | Proof of concept: | http://www.insecure.ws/article.php?story=2004051612423136 | |
