Security hole in Safari? Test yours.

Discussion in 'Mac Apps and Mac App Store' started by Schtibbie, Jul 12, 2007.

  1. Schtibbie macrumors 6502

    Joined:
    Jan 13, 2007
    #1
    Ok, maybe I was naive to do this, but I found a link that purported to be a proof of concept of a security hole in Safari. I have a Mac and figured it's secure and anything wanting to run will need to ask me to give permission, right?

    Here's the URL: http://www.insecure.ws/warehouse/archives/safari/0x06_test.html

    I waited maybe 20-30 seconds and suddenly Terminal opened and ran a command! I'm serious - I was shocked. Here's what showed up and ran in Terminal:

    ssh: a -F /Volumes/ssh/config: No address associated with nodename
    [Process exited - exit code 255]

    WTF???? Is Apple going to fix this or what?
     
  2. gauchogolfer macrumors 603

    gauchogolfer

    Joined:
    Jan 28, 2005
    Location:
    American Riviera
    #2
    going to the website from a Windows machine I get this message:

     
  3. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
  4. dejo Moderator

    dejo

    Staff Member

    Joined:
    Sep 2, 2004
    Location:
    The Centennial State
    #4
    Nothing happened for me. I'm running Safari 3.0.2 on 10.4.10.
     
  5. Schtibbie thread starter macrumors 6502

    Joined:
    Jan 13, 2007
    #5
    Yes, I see that on my Mac, BUT it then proceeds to auto-open my Terminal prompt and run a command!

    This is NOT GOOD, APPLE! There's no excuse for a hole in Safari that can run Terminal commands simply by VISITING THE PAGE. You don't even have to click or download anything. Terminal simply opens itself up and runs stuff.

    Anybody at Apple I can email this to? Do they have a security department?
     
  6. Schtibbie thread starter macrumors 6502

    Joined:
    Jan 13, 2007
    #6
    The exploit occurs on my machine that's fully up to date with versions:
    10.4.10
    Safari Version 2.0.4 (419.3)


    No need to point out that 3.0.2 is newer than what I have. Fact is, what *I* have is what people are using out there.
     
  7. brkirch macrumors regular

    Joined:
    Oct 18, 2001
    #7
    It doesn't work though. It is supposed to mount a dmg file and execute the shell script that the dmg file contains but it never does any of that. It only attempts to execute the shell script via ssh (and it fails).

    Here's what it is *supposed* to execute in the terminal (taken from http://www.insecure.ws/warehouse/archives/safari/0x06_ssh.dmg):
    Code:
    ProxyCommand osascript -e 'tell application "Finder" to say "Hello, you have been owned by the ssh URI exploit"' -e 'tell application "TextEdit"' -e 'activate' -e 'set text of front document to "You have been owned by the ssh URI exploit, by kang@insecure.ws - http://insecure.ws"' -e 'end tell'
    Even if you mount the dmg it is still unable to execute the shell script. It looks like this exploit has already been fixed.
     
  8. Schtibbie thread starter macrumors 6502

    Joined:
    Jan 13, 2007
    #8
    Ok, that only makes me feel *slightly* better, but doesn't it disturb anyone deeply that simply visiting a site (without even clicking or downloading anything) causes Terminal (a totally different app!) to launch and run a command? Wouldn't it be just as easy for this to run the following once it gets Terminal open:

    rm -rf *

    Anyway, I can't help but be bothered that Safari allows webpages to launch Terminal and run commands.
     
  9. brkirch macrumors regular

    Joined:
    Oct 18, 2001
    #9
    It only allows the ssh command to run, nothing else. The exploit attempts to pass an option to ssh to run a shell script, but apparently Apple has fixed this problem and it is not possible to use ssh to run shell scripts via Safari now. This means that although Safari is running the terminal, there is no threat because Safari only allows the terminal to be used to connect to ssh servers.
     
  10. tempques macrumors member

    Joined:
    May 25, 2006
    #10
    OmniWeb, and the latest Webkit nightly both launch Terminal. Camino, Firefox and Opera all give a warning saying that the website is attempting to launch an external application with the option to allow or deny.
     
  11. dejo Moderator

    dejo

    Staff Member

    Joined:
    Sep 2, 2004
    Location:
    The Centennial State
    #11
    Calm down. How was I to know what version you were running?

    Curious. What is your 'Open "safe" files after downloading' setting in your Preferences > General?
     
  12. mkrishnan Moderator emeritus

    mkrishnan

    Joined:
    Jan 9, 2004
    Location:
    Grand Rapids, MI, USA
    #12
    But isn't that in itself concerning? I'm not sure a web browser needs this kind of function, particularly without asking the user to authenticate?
     
  13. miniConvert macrumors 68040

    miniConvert

    Joined:
    Mar 4, 2006
    Location:
    Kent, UK - the 'Garden of England'.
    #13
    Maybe not authenticate, but I agree the user should be prompted. Urgh!
     
  14. Schtibbie thread starter macrumors 6502

    Joined:
    Jan 13, 2007
    #14
    Disabled. I'm pretty security-conscious. I also run as a non-admin account (having earlier created a pure admin account just for admin stuff). Still, Safari launches Terminal and tries to run stuff.

    I guess I'd like Apple to either fix the "current" version of Safari so it doesn't launch Terminal without asking me, or go ahead and put out version 3.whatever which perhaps doesn't have this problem.
     
  15. dejo Moderator

    dejo

    Staff Member

    Joined:
    Sep 2, 2004
    Location:
    The Centennial State
    #15
    I've confirmed that Safari 3.0.2 (522.12) doesn't exhibit this behavior but 2.0.4 (419.3) still does.

    It would be good if Apple released a patch for this for Safari 2.
     
  16. tempques macrumors member

    Joined:
    May 25, 2006
    #16
    I have the same version of Safari Beta as you, yet if I wait about 10 seconds or so on the OP"s posted site, it still does indeed open up Terminal. Perhaps you have a tip you can share? :confused::)
     
  17. iMeowbot macrumors G3

    iMeowbot

    Joined:
    Aug 30, 2003
    #17
    Eh? URLs like this are pretty standard stuff. With the bug plugged, they aren't any more dangerous than opening any old Web page, a network connection is opened and you're in control of the interaction. This little ditty isn't so scary, is it?
     
  18. nsbio macrumors 6502a

    nsbio

    Joined:
    Aug 8, 2006
    Location:
    NC
    #18
    Seems like something that should not be part of a browser, a potential security threat. There is NO WAY a browser should be able to launch anything besides PDF viewer and media player. Has this been reported to Apple?
     
  19. iMeowbot macrumors G3

    iMeowbot

    Joined:
    Aug 30, 2003
    #19
    Eh? Web browsers have been designed to call external scheme handlers since the beginning. This is by design.
    Don't worry, they know about it. It's there as a part of the standards.
     
  20. nsbio macrumors 6502a

    nsbio

    Joined:
    Aug 8, 2006
    Location:
    NC
    #20
    What prevents a website executing an arbitrary code then? I am confused.
     
  21. iMeowbot macrumors G3

    iMeowbot

    Joined:
    Aug 30, 2003
    #21
    Opening a telnet or ssh session is not execution of arbitrary code, it's just a dumb terminal session and really little different from viewing a Web page. The fact that telnet and ssh run from the terminal because they're character-mode environments is a red herring.

    This mechanism is pervasive: itpc: and pcast: links open iTunes, ftp: URLs open the Finder or your favorite FTP program, irc: and news: URLs will open appropriate programs if you have them, and on and on.

    The bug (long since fixed) that started this thread was about a problem with the way Safari opened external handlers. That, and not the practice of using external handlers itself, was the problem.
     
  22. Killyp macrumors 68040

    Killyp

    Joined:
    Jun 14, 2006
    #22
    It's executing something over SSH, which unless you have SSH turned on, can't do anything.
     
  23. Schtibbie thread starter macrumors 6502

    Joined:
    Jan 13, 2007
    #23
    The response I got directly from Apple on this issue is quoted below - it does indeed seem to be something they already noticed and fixed. I personally would prefer that Safari act like Firefox and ask me if I really want whatever external app to launch, but apparently this isn't really a security issue. Props to Apple for getting back to me:

    "The code execution aspect of this bug was fixed in 2004.

    The fact that a URL can bring up a Terminal which executes ssh is not a vulnerability, this is by design, and you can test this by entering ssh://whatever in Safari. It would be a vulnerability if it could execute ssh _with arbitrary commands_.

    The original vulnerability was that it would execute the command ssh a -F /Volumes/ssh/config

    Currently, it executes a command similar to ssh "a -F /Volumes/ssh/config". In other words "a -F /Volumes/ssh/config" is the host name that it's trying to ssh to. Thus, this is not an arbitrary code execution issue."
     
  24. nsbio macrumors 6502a

    nsbio

    Joined:
    Aug 8, 2006
    Location:
    NC
    #24
    This is good to know. But still, it is friggin' scary when clicking a link launches Terminal - easily looks as if somebody else is taking over the computer and raises concerns unnecessarily.
     

Share This Page