[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Advisory posted on Mac OS X and Safari (File theft, code execution, etc)
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] Advisory posted on Mac OS X and Safari (File theft, code execution, etc)
- From: 1tuhav@xxxxxxxxxxxx
- Date: Wed, 12 Oct 2011 15:19:08 -0400
Hello F-D,
I published details on some security holes in Apple products today,
but heres the condensed version:
1. Launch local files URLs from Safari on Mac OS X by doing the
following:
BASE HREF=file:// and document.location=/path/to/run
2. safar-extension:// URLs have a directory traversal issue and can
be used to steal files and backdoor safari extensions. this
affected safari on windows as well as mac os x with any extension
installed and enabled, except on windows it looks like you could
access any file the user could
3. help documents on mac os x check for update when loaded. they
do so over HTTP. mac app store's help was one of the ones
vulnerable to this. when you MITM the update (done over HTTP, and
with unsigned content), you could get a python or applescript
payload to run on the victims system
These were all fixed in todays updates. As with any bug there are
a bunch more details if you care to know them. I posted them here
in case you are interested:
http://vttynotes.blogspot.com/2011/10/summary-of-vulnerability-
write-ups-on.html
Also sorry for the poor quality screen captures. I think I
provided enough detail for anyone to reproduce the issues
themselves.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/