[funsec] Serious Flaw on OS X in Apple Safari

Fergie fergdawg at netzero.net
Mon Feb 20 20:33:03 CST 2006

No, it doesn't sound like it's a red herring at all.

In fact, it sounds more serious than the ISC SANS pointer

- ferg

-- "Larry Seltzer" <larry at larryseltzer.com> wrote:

So is the whole shebang thing a red herring?

Larry Seltzer
eWEEK.com Security Center Editor
Contributing Editor, PC Magazine
larryseltzer at ziffdavis.com 

-----Original Message-----
From: funsec-bounces at linuxbox.org [mailto:funsec-bounces at linuxbox.org] On
Behalf Of Anthony Rodgers
Sent: Monday, February 20, 2006 8:33 PM
To: FunSec [List]
Subject: Re: [funsec] Serious Flaw on OS X in Apple Safari

This looks like it might be quite serious, unlike previous ones. I have
tested the POC, and can tell you that:

1. It does not need Safari to work
2. It does not need auto-open to work

That information is a red herring. The vulnerability is an OS vulnerability
that is described in paragraph 4 of the article:

"If a script is given an extension such as "jpg" or "mov" and stored within
a ZIP archive, Mac OS X will add a binary metadata file to the archive which
determines its association. This metafile instructs the operating system on
another Mac to open that file with the Terminal application -- regardless of
its extension or the symbol displayed in the Finder. The Terminal will
redirect scripts without an interpreter line directly to bash, the standard
shell in OS X."

All it needs is a zip file with meta-data in it that makes it behave like a
shell script, and a file name extension that makes it look like a jpg (or
any other type of 'friendly' file. This zip file, or its resultant contents,
can then be downloaded from a web site (with or without Safari, with or
without auto-open), emailed, or whatever.


On 20-Feb-06, at 5:09 PM, Fergie wrote:

> Via The SAN ISC Daily Handler's Diary.
> [snip]
> We received notice from Juergen Schmidt, editor-in-chief at heise.de, 
> that a serious vulnerability has been found in Apple Safari on OS X. 
> "In its default configuration shell commands are execute[d] simply by 
> visting a web site - no user interaction required." This could be 
> really bad. Attackers can run shell scripts on your computer remotely 
> just by visiting a malicious website.
> Full text of the article: http://www.heise.de/english/newsticker/
> news/69862
> Proof of concept from the original discoverer (Michael Lehn):  
> http://www.mathematik.uni-ulm.de/~lehn/mac.html
> [snip]
> http://isc.sans.org/diary.php?storyid=1138
> - ferg
> --
> "Fergie", a.k.a. Paul Ferguson
>  Engineering Architecture for the Internet  fergdawg at netzero.net or 
> fergdawg at sbcglobal.net  ferg's tech blog: 
> http://fergdawg.blogspot.com/

More information about the funsec mailing list