|
|
Safari Shellscript Vulnerability
|
|
|
|
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status:
Offline
|
|
http://www.heise.de/english/newsticker/news/69862
Safari can be tricked to automatically execute shell scripts downloaded within ZIP-archives, Michael Lehn found (reported by heise.de). Usually Safari warns the user before downloading and running executables. This can be circumvented by removing the "shebang" line (whatever that is) from the script and giving it a file extension of a "safe" file. Safari will open the file and the system will execute it as shell script. Here's a demo of the issue:
http://www.heise.de/security/dienste.../Heise.jpg.zip
(
Last edited by TETENAL; Feb 21, 2006 at 02:07 PM.
)
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Jan 2002
Location: Durham, NC
Status:
Offline
|
|
The "shebang" line is the line in a text file that tells what executable should be used to interpret the rest of the file. It's used so you can type a script and set it to be executable, then run it from the command line. It's something like
or
I imagine if it's missing, the script is interpreted by whichever shell invoked it. On Mac OS X, it's pretty likely that most people are using the default shell, so if you're writing a malicious script, you would do it in the language of said shell.
I imagine that this gets opened in Terminal without a ".command" extension because it's using type/creator codes to tell the OS it's a Terminal file. That would explain why it needs to be zipped to work. I'm not sure what the shebang removal is for. I guess maybe Safari looks in a text file before opening in Terminal and decides a shebang means "unsafe".
Seems it'd be wiser to consider the prospect of opening anything in Terminal unsafe.
Update: I edited the text file in vi to add a shebang line. It still looked like a jpeg but opened in terminal. Then I zipped it and accessed it via http on my own Mac. Safari did, in fact, warn me. If someone hasn't file this as a bug with Apple, I'll do it this P.M.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Jan 2002
Location: Durham, NC
Status:
Offline
|
|
P.S. The origin of "shebang": The pound sign looks like the "sharp" symbol in musical notation. The exclamation point implies excitement!, like "bang!"
squish 'em together, and you got "shebang!"
Geeks are weird.
P.P.S. Sorry, Tooki, I'm usually on top o' that..
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status:
Offline
|
|
Originally Posted by slugslugslug
Update: I edited the text file in vi to add a shebang line. It still looked like a jpeg but opened in terminal. Then I zipped it and accessed it via http on my own Mac. Safari did, in fact, warn me. If someone hasn't file this as a bug with Apple, I'll do it this P.M.
Yes, that's the biggest flaw in this scenario. Another issue I see is that the Finder displays a JPEG-icon even though it is treated as a shell script. The file also has a JPEG-file name extension so always showing extensions doesn't protect you from being fooled to double-click (in case you have auto-open turned off or you are using another browser or Mail).
This is more serious imho than the Leap/A virus, since – together with an HTTP refresh – this requires zero user interaction to execute code on your machine.
|
|
|
|
|
|
|
|
|
Senior User
Join Date: Mar 2000
Location: Ithaca, NY
Status:
Offline
|
|
Originally Posted by slugslugslug
I imagine that this gets opened in Terminal without a ".command" extension because it's using type/creator codes to tell the OS it's a Terminal file. That would explain why it needs to be zipped to work. I'm not sure what the shebang removal is for. I guess maybe Safari looks in a text file before opening in Terminal and decides a shebang means "unsafe".
This is close, but not quite what's happening. The type and creator code are actually set to Moov/TVOD, which is the correct combo for a Quicktime movie created by Quicktime Player.
You know how you can open the Get Info panel in the Finder and choose another application for a file to be opened in? Well, when you do that, that setting is actually stored in the resource fork of the file in a 'usro' resource. When you zip the file using "Create Archive" in the Finder, the resource fork is also archived, and when you download such a zip file and unarchive it, the resource fork gets restored. Safari just tells LaunchServices to open the file, but since it has the 'usro' resource, it follows that setting to open, in this case, Terminal, and doesn't even look at either type/creator or the file extension.
One workaround for this would be for Safari to look at the file after being unzipped and see if it has a 'usro' resource in its resource fork. If it does, you declare the file to be "unsafe" and don't open it.
|
|
|
|
|
|
|
|
|
Addicted to MacNN
Join Date: Aug 2004
Location: FFM
Status:
Offline
|
|
Heise reports that the security hole also affects Apple Mail:
http://www.heise.de/english/newsticker/news/69919
The weak point in Apple's Mac OS X operating system is apparently worse than originally thought. In addition to attacks via the Safari web browser, Apple Mail also executes scripts without asking in certain circumstances.
It suffices to disguise a script with the ending "jpg" and assign the Terminal application for opening it. If this script is then sent in the AppleDouble format as an attachment, the information is passed along so that the recipient's system also opens it with the Terminal. Apple Mail displays the attachment with a JPG file symbol, but when users click on it, the script executes within Terminal without further prompting. This has been tested on Apple Mail 2 and Mac OS X 10.4. Older versions display a warning.
Heise also has a demo e-mail that demonstrates the issue:
http://www.heise.de/security/dienste...tml?mail=apple
(you have to enter your e-mail address then you get a mail with a link you need to click to acknowledge that you want the demo, then you will be sent the demo e-mail)
Interestingly the .Mac service seems to filter out the demo exploit e-mail from Heise even though it is harmless. I had to use another e-mail account to receive the demo.
|
|
|
|
|
|
|
|
|
Mac Elite
Join Date: Sep 2000
Location: Tempe, AZ
Status:
Offline
|
|
I've updated Paranoid Android to be aware of this class of exploit. You can download it here or grab the source code and compile it yourself.
Note that Paranoid Android is an APE module. I like 'em, but it's something to be aware of.
Basic directions: Run the installer, log out, log back in, launch System Preferences and choose the Application Enhancer prefpane. Choose Paranoid Android. Turn on "Watch non-default application launches". Unless you're really paranoid, turn off "Watch URI schemes", since that class of exploit was fixed awhile ago.
Once you've done this, both the Safari exploit and the Mail.app exploit will trigger a dialog window telling you what's going on and giving you a chance to use the default application (Quicktime Player) instead of the custom one (Terminal).
Once Apple puts out a fix for this, I recommend ditching Paranoid Android - it's a pretty heavy solution.
More info on PA can be found here.
|
Geekspiff - generating spiffdiddlee software since before you began paying attention.
|
|
|
|
|
|
|
|
Senior User
Join Date: Jul 2002
Location: Florida
Status:
Offline
|
|
|
|
|
|
|
|
|
|
|
Clinically Insane
Join Date: Oct 2001
Location: San Diego, CA, USA
Status:
Offline
|
|
Originally Posted by Gator Lager
I think it's the same thing, but very fuzzily expressed.
|
Chuck
___
"Instead of either 'multi-talented' or 'multitalented' use 'bisexual'."
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Forum Rules
|
|
|
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
|
HTML code is Off
|
|
|
|
|
|
|
|
|
|
|
|