Security hole in Safari? Test yours.

Schtibbie

macrumors 6502
Original poster
Jan 13, 2007
303
2
Ok, maybe I was naive to do this, but I found a link that purported to be a proof of concept of a security hole in Safari. I have a Mac and figured it's secure and anything wanting to run will need to ask me to give permission, right?

Here's the URL: http://www.insecure.ws/warehouse/archives/safari/0x06_test.html

I waited maybe 20-30 seconds and suddenly Terminal opened and ran a command! I'm serious - I was shocked. Here's what showed up and ran in Terminal:

ssh: a -F /Volumes/ssh/config: No address associated with nodename
[Process exited - exit code 255]

WTF???? Is Apple going to fix this or what?
 

gauchogolfer

macrumors 603
Jan 28, 2005
5,555
5
American Riviera
going to the website from a Windows machine I get this message:

Please wait for the disk image to be downloaded and mounted, it will take a few seconds.
The script will execute automatically afterwards.

If your line is too slow and the dmg take too much time to download, reload the page when it is done, as this cannot be checked.

MacOSX exploit specificities:
Apple made a few tries to make the use of URIs harder, but unfortunately, this does not mean that it makes exploiting impossible.
This exploit uses URL Encoding to fool the new LaunchService path replacement which was aimed to prevent the insertion of any file path. Usage of URL encoding is very well known to bypass such protections, but it seems that the security departement didn't known that ;-)
As usual, courtesy of insecure.ws

Theses pages and exploit are under copyright 2004, kang
 

Schtibbie

macrumors 6502
Original poster
Jan 13, 2007
303
2
going to the website from a Windows machine I get this message:
Yes, I see that on my Mac, BUT it then proceeds to auto-open my Terminal prompt and run a command!

This is NOT GOOD, APPLE! There's no excuse for a hole in Safari that can run Terminal commands simply by VISITING THE PAGE. You don't even have to click or download anything. Terminal simply opens itself up and runs stuff.

Anybody at Apple I can email this to? Do they have a security department?
 

Schtibbie

macrumors 6502
Original poster
Jan 13, 2007
303
2
Nothing happened for me. I'm running Safari 3.0.2 on 10.4.10.
The exploit occurs on my machine that's fully up to date with versions:
10.4.10
Safari Version 2.0.4 (419.3)


No need to point out that 3.0.2 is newer than what I have. Fact is, what *I* have is what people are using out there.
 

brkirch

macrumors regular
Oct 18, 2001
191
0
It doesn't work though. It is supposed to mount a dmg file and execute the shell script that the dmg file contains but it never does any of that. It only attempts to execute the shell script via ssh (and it fails).

Here's what it is *supposed* to execute in the terminal (taken from http://www.insecure.ws/warehouse/archives/safari/0x06_ssh.dmg):
Code:
ProxyCommand osascript -e 'tell application "Finder" to say "Hello, you have been owned by the ssh URI exploit"' -e 'tell application "TextEdit"' -e 'activate' -e 'set text of front document to "You have been owned by the ssh URI exploit, by kang@insecure.ws - http://insecure.ws"' -e 'end tell'
Even if you mount the dmg it is still unable to execute the shell script. It looks like this exploit has already been fixed.
 

Schtibbie

macrumors 6502
Original poster
Jan 13, 2007
303
2
It doesn't work though. It is supposed to mount a dmg file and execute the shell script that the dmg file contains but it never does any of that. It only attempts to execute the shell script via ssh (and it fails).
Ok, that only makes me feel *slightly* better, but doesn't it disturb anyone deeply that simply visiting a site (without even clicking or downloading anything) causes Terminal (a totally different app!) to launch and run a command? Wouldn't it be just as easy for this to run the following once it gets Terminal open:

rm -rf *

Anyway, I can't help but be bothered that Safari allows webpages to launch Terminal and run commands.
 

brkirch

macrumors regular
Oct 18, 2001
191
0
Ok, that only makes me feel *slightly* better, but doesn't it disturb anyone deeply that simply visiting a site (without even clicking or downloading anything) causes Terminal (a totally different app!) to launch and run a command? Wouldn't it be just as easy for this to run the following once it gets Terminal open:

rm -rf *

Anyway, I can't help but be bothered that Safari allows webpages to launch Terminal and run commands.
It only allows the ssh command to run, nothing else. The exploit attempts to pass an option to ssh to run a shell script, but apparently Apple has fixed this problem and it is not possible to use ssh to run shell scripts via Safari now. This means that although Safari is running the terminal, there is no threat because Safari only allows the terminal to be used to connect to ssh servers.
 

tempques

macrumors member
May 25, 2006
51
0
OmniWeb, and the latest Webkit nightly both launch Terminal. Camino, Firefox and Opera all give a warning saying that the website is attempting to launch an external application with the option to allow or deny.
 

Schtibbie

macrumors 6502
Original poster
Jan 13, 2007
303
2
Curious. What is your 'Open "safe" files after downloading' setting in your Preferences > General?
Disabled. I'm pretty security-conscious. I also run as a non-admin account (having earlier created a pure admin account just for admin stuff). Still, Safari launches Terminal and tries to run stuff.

I guess I'd like Apple to either fix the "current" version of Safari so it doesn't launch Terminal without asking me, or go ahead and put out version 3.whatever which perhaps doesn't have this problem.
 

dejo

Moderator
Staff member
Sep 2, 2004
15,981
447
The Centennial State
I guess I'd like Apple to either fix the "current" version of Safari so it doesn't launch Terminal without asking me, or go ahead and put out version 3.whatever which perhaps doesn't have this problem.
I've confirmed that Safari 3.0.2 (522.12) doesn't exhibit this behavior but 2.0.4 (419.3) still does.

It would be good if Apple released a patch for this for Safari 2.
 

tempques

macrumors member
May 25, 2006
51
0
I've confirmed that Safari 3.0.2 (522.12) doesn't exhibit this behavior but 2.0.4 (419.3) still does.

It would be good if Apple released a patch for this for Safari 2.
I have the same version of Safari Beta as you, yet if I wait about 10 seconds or so on the OP"s posted site, it still does indeed open up Terminal. Perhaps you have a tip you can share? :confused::)
 

iMeowbot

macrumors G3
Aug 30, 2003
8,636
0
Eh? URLs like this are pretty standard stuff. With the bug plugged, they aren't any more dangerous than opening any old Web page, a network connection is opened and you're in control of the interaction. This little ditty isn't so scary, is it?
 

nsbio

macrumors 6502a
Aug 8, 2006
634
0
NC
Seems like something that should not be part of a browser, a potential security threat. There is NO WAY a browser should be able to launch anything besides PDF viewer and media player. Has this been reported to Apple?
 

iMeowbot

macrumors G3
Aug 30, 2003
8,636
0
Seems like something that should not be part of a browser, a potential security threat. There is NO WAY a browser should be able to launch anything besides PDF viewer and media player.
Eh? Web browsers have been designed to call external scheme handlers since the beginning. This is by design.
Has this been reported to Apple?
Don't worry, they know about it. It's there as a part of the standards.
 

nsbio

macrumors 6502a
Aug 8, 2006
634
0
NC
Eh? Web browsers have been designed to call external scheme handlers since the beginning. This is by design.

Don't worry, they know about it. It's there as a part of the standards.
What prevents a website executing an arbitrary code then? I am confused.
 

iMeowbot

macrumors G3
Aug 30, 2003
8,636
0
What prevents a website executing an arbitrary code then? I am confused.
Opening a telnet or ssh session is not execution of arbitrary code, it's just a dumb terminal session and really little different from viewing a Web page. The fact that telnet and ssh run from the terminal because they're character-mode environments is a red herring.

This mechanism is pervasive: itpc: and pcast: links open iTunes, ftp: URLs open the Finder or your favorite FTP program, irc: and news: URLs will open appropriate programs if you have them, and on and on.

The bug (long since fixed) that started this thread was about a problem with the way Safari opened external handlers. That, and not the practice of using external handlers itself, was the problem.
 

Killyp

macrumors 68040
Jun 14, 2006
3,860
5
It's executing something over SSH, which unless you have SSH turned on, can't do anything.
 

Schtibbie

macrumors 6502
Original poster
Jan 13, 2007
303
2
The response I got directly from Apple on this issue is quoted below - it does indeed seem to be something they already noticed and fixed. I personally would prefer that Safari act like Firefox and ask me if I really want whatever external app to launch, but apparently this isn't really a security issue. Props to Apple for getting back to me:

"The code execution aspect of this bug was fixed in 2004.

The fact that a URL can bring up a Terminal which executes ssh is not a vulnerability, this is by design, and you can test this by entering ssh://whatever in Safari. It would be a vulnerability if it could execute ssh _with arbitrary commands_.

The original vulnerability was that it would execute the command ssh a -F /Volumes/ssh/config

Currently, it executes a command similar to ssh "a -F /Volumes/ssh/config". In other words "a -F /Volumes/ssh/config" is the host name that it's trying to ssh to. Thus, this is not an arbitrary code execution issue."
 

nsbio

macrumors 6502a
Aug 8, 2006
634
0
NC
This is good to know. But still, it is friggin' scary when clicking a link launches Terminal - easily looks as if somebody else is taking over the computer and raises concerns unnecessarily.