Apple Mac OS X "disk://" URI handler stores arbitrary files in a known location

2004-05-21T00:00:00
ID VU:210606
Type cert
Reporter CERT
Modified 2006-05-01T00:00:00

Description

Overview

A vulnerability has been reported in the default "disk://" protocol handler installed on Apple Mac OS X systems. Remote attackers may potentially use this vulnerability to create files on the local system without explicit user consent. We have not independently verified the scope of this vulnerability report.

Description

A vulnerability has been reported in the Apple Mac OS X default "disk://" URI Handler. If able to entice a user to visit a foreign web site, a remote attacker may potentially be able to download any arbitrary file to a known location on the local system. If the file is a disk image (".dmg"), it could be automatcially mounted as a disk volume available for use by an attacker. A separate vulnerability, VU#578798, has also been reported which may allow a remote attacker to execute arbitrary application files contained within a mounted disk image.

Browser or applications supporting "disk://" URIs.


Impact

A remote attacker may be able to download arbitrary files to a known location on a potentially vulnerable system.


Solution

Security Update 2004-06-07 has been released for the following system versions:

  • Mac OS X v10.3.4 "Panther"
  • Mac OS X Server v10.3.4 "Panther"
  • Mac OS X v10.2.8 "Jaguar"
  • Mac OS X Server v10.2.8 "Jaguar"

This update removes the "disk://" URI handler.


According to the posting on Secunia, implementing all three of the following steps may mitigate this vulnerability:

1) Uncheck ("Open 'safe' files after downloading");
2) Change the protocol helpers (applications) for URI handlers which are not required, e.g., disable the "help://" handler;
3) Add a separate protocol helper (application) for "disk".


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Apple Computer, Inc.| | -| 21 May 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://www.kb.cert.org/vuls/id/578798>
  • <http://secunia.com/advisories/11622/>
  • <http://www.securitytracker.com/alerts/2004/May/1010167.html>

Credit

Thanks to Kang for reporting this vulnerability.

This document was written by Jason A Rafail of CERT/CC and is based on information from Secunia.com and SecurityTracker.com.

Other Information

  • CVE IDs: Unknown
  • Date Public: 17 May 2004
  • Date First Published: 21 May 2004
  • Date Last Updated: 01 May 2006
  • Severity Metric: 18.00
  • Document Revision: 10