-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Adv: safari_0x06 Release Date: 24/05/2004 Affected Products: MacOSX >= 10.3.3, Various Browsers, possibly others platforms/browsers Fixed in: Not fixed. Impact: Remote code execution. Severity: High. Vendors: Notified (20-23/02/04) Author: kang@xxxxxxxxxxx
After the HelpViewer problem, and the self-URI registration in MacOSX, not to mention the telnet://-nFile overwrite on many platforms, here is yet another one using the SSH handler.
It has not been determined if this vulnerability can be successfully exploited on linux, but it seems that konqueror is protected, while Firefox/etc are not. I wish I could test it but it seems that there is a bug in Gnome 2.6.1 and theses uri handlers which prevented the successfull exploitation. Else than that, the Gnome browsers would be all vulnerable.
On MacOSX, it is still possible to use paths (like /path/to/xx and :path:to:xxx) in URI links, despite the recent fix which filtered them out, using URL Encoding.
This weakness allows a new URI + SSH exploit, using the ProxyCommand option of ssh clients. This option is used to execute a proxy application which will be launched between the ssh client and the actually connection. Unfortunately, this option can also be used to execute arbitrary commands.
Safari,Camino,Firefox,Mozilla have been reported vulnerable on OSX.
My policy is usually to keep such things private, to research them to their full extend, then to start informing the vendors, and publishing the problem to the public after a fix has been issued or a few monthes without answers. However, as you know, two or three vulnerabilities are already discussing of the same kind of problems (which were reported and disclosed before my owns researches anyway), and one is not yet fixed in MacOSX. (see http://www.insecure.ws/article.php?story=20040522041815126 )
Therefore I think it is in the best interest that people know about it to protect themselves.
A simple fix is available at http://www.unsanity.com/haxies/pa/ for MacOSX and is highly recommanded.
No fixes have been available for Gnome based applications but it is not vulnerable until the URI bugs have been fixed ;)
The full advisory ca be found here: http://www.insecure.ws/article.php?story=200405222251133
There is an online proof of concept for MacOSX on the page advisory.
- -- Please do not copy this advisory without authorisation. Authorisation is given to the security focus staff. Please note, my PGP key has changed. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFAshbqB9TTXBpCLwwRAu5gAKCWHc3a/gw754lEwbZ84I2WgoTXUACdH8B1 ErKkZtGkZ2jA2yoTcz91MUA= =1UI1 -----END PGP SIGNATURE-----