Become a MacRumors Supporter for $25/year with no ads, private forums, and more!

michaellehn

macrumors member
Original poster
Jan 10, 2005
33
0
Germany
On my homepage

http://www.mathematik.uni-ulm.de/numerik/staff/lehn/index_us.html

I am hosting an exploit for Safari on Mac OS X. It requires that in Safari the option has to be enabled that allows "secure files" to be lunched automatically. Many users have this option enabled.

In this case it is sufficient that if you click on a link an shell-script is executed. In my example the shell script only prints "Hallo Welt". But it also could send emails or delete the user's home directory.

There will be no warning.

In several German online sites it was reported about my exploit:


http://www.heise.de/newsticker/meldung/69854

http://www.macnews.de/news/74203

http://www.macwelt.de/news/macosx/336525/index.html

best regards from Ulm/Germany,

Michael
 

michaellehn

macrumors member
Original poster
Jan 10, 2005
33
0
Germany
gekko513 said:
That's scary. When did you tell Apple about it?

It is bug #4450856. My last bug has state "open" for almost one year. So I added a note asking them to have a look at my first bug after they are done with the current bug. Ok, this old bug was not critical, just annoying.

About publishing security holes in public. I think after the report of the first "virus" it was just a matter of time that someone would exploit this. It only took me 3 lines for a shell script, 3 tries and at most 15 minutes. Only if such issues are published as fast as possible people are warned. If I would no publish it Mac-user would have the wrong feeling that clicking on links is NOT dangerous. This would be fatal.

About how serious this thing is: The shell script could also delete your home directory and send Emails from your account. If you have the appropriate permissions it could also modify applications.
 

michaellehn

macrumors member
Original poster
Jan 10, 2005
33
0
Germany
Benjamindaines said:
Loos like UNIX is coming back to bite Apple in the a**, so far all the bug exploits have been with Terminal.

the UNIX part of Mac OS X is the most safest part!

The problem is the part that allows that a downloaded file get automatically executed.

Without the UNIX part there would be holes like in Windows. You just connect to the internet and you get infected. WITHOUT CLICKING OR DOING ANYTHING.

We experience this here every day. And thanks to the UNIX part there soon will switch a legion a Ex-Linux-Geeks to Mac OS. Fixing whatever shows up :)
 

After G

macrumors 68000
Aug 27, 2003
1,583
1
California
Tried the example on the website. It's kinda scary, because the file has a correct-looking extension even though it opens in terminal.
 

michaellehn

macrumors member
Original poster
Jan 10, 2005
33
0
Germany
After G said:
Tried the example on the website. It's kinda scary, because the file has a correct-looking extension even though it opens in terminal.

In deed it is scary. So make sure to tell everybody to deactivate this option in Safari! That's the fastest and easiest way to protect yourself.
 

bousozoku

Moderator emeritus
Jun 25, 2002
14,537
613
Lard
Of course, when you look at the file after opening the archive, it says that it's a Terminal document, even though the extension is .MOV.

Besides, the automatic opening of such files was disabled automatically quite a while ago (during Jaguar?) because of such an exploit.
 

michaellehn

macrumors member
Original poster
Jan 10, 2005
33
0
Germany
bousozoku said:
Of course, when you look at the file after opening the archive, it says that it's a Terminal document, even though the extension is .MOV.

Besides, the automatic opening of such files was disabled automatically quite a while ago (during Jaguar?) because of such an exploit.

Actually many people told me that the option is disabled by default. But on all our Macs it was enabled. And there are controversial reports many claim that it was enabled on recently bought machines.
 

jsw

Moderator emeritus
Mar 16, 2004
22,909
41
Andover, MA
bousozoku said:
Of course, when you look at the file after opening the archive, it says that it's a Terminal document, even though the extension is .MOV.
Few users are going to doubt the iconic representation of the file. Very few people do a Get Info on everything that's downloaded.

bousozoku said:
Besides, the automatic opening of such files was disabled automatically quite a while ago (during Jaguar?) because of such an exploit.
Then why, on a fresh install of OS X on my Intellimac, in a new user account, does it open automatically? That link opened Terminal and ran before I could do anything to stop it. Fresh install. New user account.

michaellehn said:
Actually many people told me that the option is disabled by default. But on all our Macs it was enabled. And there are controversial reports many claim that it was enabled on recently bought machines.
I just installed OS X on my 17" Intel iMac (or, rather, did a reinstall with the disks supplied with it). I see that the exploit works.

Similarly, in a new user account on my PMG5, I see that the exploit works.

So it is definitely not a universal truth that this is disabled.

And, regardless of the default setting... most people will enable it once they discover that they can. And therefore be vulnerable.
 

longofest

Editor emeritus
Jul 10, 2003
2,876
1,537
Falls Church, VA
Benjamindaines said:
Loos like UNIX is coming back to bite Apple in the a**, so far all the bug exploits have been with Terminal.

The thats just because thats what programmers know, and thats what's easiest to churn out quickly to make a proof-of-concept. It's not unix that's biting Apple. It's their lack of properly auditing their code.
 

nagromme

macrumors G5
May 2, 2002
12,546
1,196
Not the first flaw nor the last, and I don't see how it would help anyone create a virus or worm--but it would lead to Trojans, and should be patched. Sounds pretty easy for Apple to do.

I've always had Open Safe Files disabled because it annoys me. Sometimes I want to keep the archive, sometimes not, and it annoyed me how the archive would always end up in the trash. I can see how many people would like Open Safe though, and I hope it's patched soon.

I'm pretty sure it IS on by default.
 

Warbrain

macrumors 603
Jun 28, 2004
5,702
293
Chicago, IL
I'm sorry, but the first thing I do in Safari when I use it for the first time on a new computer is to disable the automatic opening of downloaded files. There's just something about the computer doing all that stuff in the background that freaks me out a bit. I also like to have the confirmation that I properly downloaded the file and it opened fine.

But I guess it all works as a security fix, too.
 

jon_010101

macrumors newbie
Jul 24, 2003
9
0
Ha... I use tcsh as my default shell, so it just poops out after it launches. Still, scary stuff... they will have to change the "open" command to warn against, or simply restrict, shell scripts in order to fix this. The problem is not really with Safari ... it is with the way that OS X launches files in general. It allows you to have a benign-looking file be a shell script in disguise! :eek: If a solution isn't presented this week, I will be shocked.
 

eva01

macrumors 601
Feb 22, 2005
4,715
0
Gah! Plymouth
Warbrain said:
I'm sorry, but the first thing I do in Safari when I use it for the first time on a new computer is to disable the automatic opening of downloaded files. There's just something about the computer doing all that stuff in the background that freaks me out a bit. I also like to have the confirmation that I properly downloaded the file and it opened fine.

But I guess it all works as a security fix, too.

that is what i have always done as well. Can't see why anyone would have it open safe files. Its just asking for trouble if you ask me.
 

jsw

Moderator emeritus
Mar 16, 2004
22,909
41
Andover, MA
eva01 said:
Can't see why anyone would have it open safe files.
Since it seems to be the default setup on at least many, if not all, new Macs, it's not surprising that people would be set up that way and - for most users - be unaware that there's even an option to change the way things work.
 

VL-Tone

macrumors newbie
Jul 3, 2004
20
0
Yeah I know about this one since ToastyX posted an example here https://forums.macrumors.com/threads/181026/. I was a little panicked and didn't know how to handle the situation I replied explaining how dangerous it was. Eventually I edited my replies since I thought it would give bad ideas to hackers.

I was hoping that this was the only place where this vulnerability was disclosed, and that Apple would have time to deal with it before the "news" started to spread.

But it seems that it was already repeated by others.

michaellehn, you seem to say that you discovered this issue (you say "my exploit")

Then how come I have a lower bug report number on Apple? (#4450231) That means that I reported the issue before you, and I'm not even the one that discovered it! Why are you so keen to disclose the news to everyone (media etc.) before sending the bug to Apple? Free publicity for your blog? To warn everyone to turn off "open safe files"? I guess it's the latter, but was it the best thing to do?

You wrote: I think after the report of the first "virus" it was just a matter of time that someone would exploit this.

Well it will happen if you tell hackers about the exploit! Was this known before?

I guess that one thing could indicate it was the "right" decision to disclose the issue to the public as quickly as possible.

That thing is: It looks like the Leap-A author knew about this bug... Why do I think that? The author seems to have specifically avoided to trigger the exploit: The file is in a format that Safari cannot decompress (.tar) so it gives a warning, and doesn't execute because of that.

So tell me why the author didn't try the least detectable option: putting it in a .zip? Because it would have triggered this exploit... So I guess the Leap-A author is a "friendly" hacker that wanted to warn us without doing too much damage.

Here's an interesting idea, add this line to your benign exploit:

defaults write com.apple.Safari AutoOpenSafeDownloads 0

This will turn off that maligned option in Safari automatically!
 

bousozoku

Moderator emeritus
Jun 25, 2002
14,537
613
Lard
jsw said:
...
Then why, on a fresh install of OS X on my Intellimac, in a new user account, does it open automatically? That link opened Terminal and ran before I could do anything to stop it. Fresh install. New user account.
...

I'd like to know, as well. I just checked Safari, which I don't use, and it was wide open. It also bothers me that Apple ships Mac OS X without the firewall enabled.
 

odedia

macrumors 65816
Nov 24, 2005
1,029
143
Guys, use firefox, their bigger user base promises faster revealing of problems and faster fixes.

As a Hebrew reader, I can confirm that Safari has terrible problems with displaying right-to-left layouts (like it has terrible support for any right-to-left feature in any piece of software, including iWork), and therefore the pages look weird and not like the developer intended. However, using firefox (or Opera) fixes all that without a problem.

Mac Os X still has a long way to go in universal compatibility. I'm afraid Microsoft are way ahead of them in that department.

Oded S.
 

Nermal

Moderator
Staff member
Dec 7, 2002
19,195
1,712
New Zealand
Interesting, I have Ventrilo Server running in a terminal 24/7, and that seemed to prevent execution of the script. It brought Ventrilo to the front, but didn't print the "hack" message.
 
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.