[NEWS] AppleWebKit XMLHttpRequest Arbitrary File Disclosure
From: SecuriTeam (support_at_securiteam.com)
Date: 04/20/05
- Previous message: SecuriTeam: "[EXPL] Microsoft Exchange X-LINK2STATE Heap Overflow PoC (MS05-021)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 20 Apr 2005 12:07:32 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
AppleWebKit XMLHttpRequest Arbitrary File Disclosure
------------------------------------------------------------------------
SUMMARY
XMLHttpRequest is "a JavaScript component that allows scripts to perform
http queries and read their result".
A vulnerability in the AppleWebKit allows a remote attacker to read files
with known path names on a user's system. The vulnerability also allows
the attacker to bypass the restriction that XMLHttpRequests may only be
made to the server hosting the original document. There is a potential for
other types of disclosure due to the attacker's opportunity to run any
code from a local file.
DETAILS
Vulnerable Systems:
* Apple Safari version 1.2+
* Apple Safari RSS version 2.0 pre-release
* OmniGroup OmniWeb version 5.1+
* Shiira version 0.93
Immune Systems:
* Mozilla Firefox version 1.0
* Konqueror version 3.3
* OmniWeb All versions that does not support Javascript
* Apple Safari 1.2 and prior
* OmniGroup OmniWeb version 5.0.x
* Freeverse BumperCar version 1.0
The attack requires that attacker will have the ability to place an HTML
file on the victim's system and predict its path. By exploiting
AppleWebKit's special treatment of XMLHttpRequest when running from a
file: document, the attacker can gain read access to any file on the
system with a known path that the user running the browser has access to.
The automatic mounting of disk images performed by default by Safari and
OmniWeb provides the attacker with an easy way to get the local file onto
the user's system. Other approaches exist, such as predicting the path to
the user's download directory, using an afp:// or ftp:// URL to mount a
remote unit and access it using file:///Volumes/resource/.
Example:
A benign demonstration of the vulnerability is provided at the following
URL:
<http://remahl.se/david/vuln/001/demo.html>
http://remahl.se/david/vuln/001/demo.html
The demonstration downloads and mounts a disk image when a link is
clicked. It then redirects an IFRAME to the predicted path of the
exploit document. The document is also available over HTTP for
completeness. A real attacker would be able to make the attack a lot more
stealthy.
Alternative possibilities of getting a file with a know path onto the
victim's system are discussed on the in-depth discussion page.
Vendor Status:
For Safari, update to 10.3.9 using software update. See
<http://docs.info.apple.com/article.html?artnum=300966>
http://docs.info.apple.com/article.html?artnum=300966 and
<http://docs.info.apple.com/article.html?artnum=301327>
http://docs.info.apple.com/article.html?artnum=301327 for more
information.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0976>
CAN-2005-0976
Disclosure Timeline:
2005-02-14, 06:25 UTC: Responded that investigation is under-way. Does not
disclose, discuss or confirm issues until a full investigation has been
completed and patches are available.
2005-03-16, 22:04 UTC: Reported that the issue would be fixed in a future
security update.
2005-03-17: Confirmed that the issue would be fixed in the May security
update (2005-005).
2005-04-15, 00:41 UTC: Reported that the issue is addressed in the 10.3.9
update that was due to be released in two hours.
ADDITIONAL INFORMATION
The information has been provided by <mailto:vuln@remahl.se> David
Remahl.
The original article can be found at: <http://remahl.se/david/vuln/001/>
http://remahl.se/david/vuln/001/
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[EXPL] Microsoft Exchange X-LINK2STATE Heap Overflow PoC (MS05-021)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
