[VulnWatch] [DR001] AppleWebKit XMLHttpRequest arbitrary file disclosure vulnerability

From: David Remahl (vuln_at_remahl.se)
Date: 04/17/05

  • Next message: khaalel: "[VulnWatch] The first open source spyware"
    To: vulnwatch@vulnwatch.org
    Date: Sun, 17 Apr 2005 14:59:43 +0200
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    The full, up-to-date, text of this advisory is located at:
    <http://remahl.se/david/vuln/001/>.

    Title: AppleWebKit XMLHttpRequest arbitrary file disclosure
    vulnerability
    Date of discovery: 2005-02-13
    Date of publication: 2005-04-16
    Discovered by: David Remahl (david@remahl.se)
    Impact: arbitrary file disclosure, origin validation error
    CVE: CAN-2005-0976

    AFFECTED PRODUCTS

    Verified vulnerable
         Apple Safari 1.2+
         Apple Safari RSS 2.0, pre-release
         OmniGroup OmniWeb 5.1+
         Shiira 0.93 does not support automatic disk image mounting but is
    vulnerable to other ways of predicting file paths.
         Other applications that use recent versions of WebCore/WebKit and
    allow JavaScript and the file: protocol

    Possibly / partially vulnerable
         Other applications that utilize KHTML

    Verified not vulnerable
         Mozilla Firefox 1.0
         Konqueror 3.3 [prevents the redirection to the local file but
    allows local files the same access to XMLHttpRequest as Safari and
    OmniWeb
         Don't support XMLHttpRequest:
             Apple Safari <1.2
             OmniGroup OmniWeb 5.0.x
             Freeverse BumperCar 1.0

    INTRODUCTION

    XMLHttpRequest is a JavaScript component that allows scripts to perform
      http queries and read their result.

    The attack described herein requires that the attacker has the ability
    to place an HTML file on the victim's system and predict its path. By
    exploiting AppleWebKit's special treatment of XMLHttpRequest when
    running from a file: document, the attacker can gain read access to
    any file on the system with a known path that the user running the
    browser has access to.

    The automatic mounting of disk images performed by default by Safari
    and OmniWeb provides the attacker with an easy way to get the local
    file onto the user's system. Other approaches exist, such as
    predicting the path to the user's download directory, using an afp://
    or ftp:// URL to mount a remote unit and access it using
    file:///Volumes/resource/.

    IMPACT

    This vulnerability allows a remote attacker to read files with known
    path names on a user's system. The vulnerability also allows the
    attacker to bypass the restriction that XMLHttpRequests may only be
    made to the server hosting the original document.

    There is a potential for other types of disclosure due to the
    attacker's opportunity to run any code from a local file.

    The impact of this vulnerability is diminished but not eliminated if
    the automatic mounting of disk images and remote volumes is disabled.

    DEMONSTRATION

    A benign demonstration of the vulnerability is provided at the
    following URL:

         http://remahl.se/david/vuln/001/demo.html

    The demonstration downloads and mounts a disk image when a link is
    clicked. It then redirects an iframe to the predicted path of the
    exploit document. The document is also available over http for
    completeness. A real attacker would be able to make the attack a lot
    more stealthy.

    Alternative possibilities of getting a file with a know path onto the
    victim's system are discussed on the in-depth discussion page.

    VENDOR RESPONSE

    OmniGroup
         2005-02-13, 19:34 UTC: Working on a fix.
         According to CERT (2005-03-17), OmniGroup plans to release a fix
    around mid-April.

    Apple Computer
         2005-02-14, 06:25 UTC: Responded that investigation is under-way.
    Does not disclose, discuss or confirm issues until a full
    investigation has been completed and patches are available.
         2005-03-16, 22:04 UTC: Reported that the issue would be fixed in a
    future security update.
         2005-03-17: Confirmed that the issue would be fixed in the May
    security update (2005-005).
         2005-04-15, 00:41 UTC: Reported that the issue is addressed in the
    10.3.9 update that was due to be released in two hours.

    SOLUTION

    For Safari, update to 10.3.9 using software update. See
    <http://docs.info.apple.com/article.html?artnum=300966> and
    <http://docs.info.apple.com/article.html?artnum=301327> for more
    information.
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (Darwin)

    iD8DBQFCYl3CFlFiDoclYIURApTpAJ9TRVBeJdTmdiZilFJf+wCxts6dYgCffB+T
    P8qZrI+VNd9bqGHasmXbdGo=
    =UYc5
    -----END PGP SIGNATURE-----


  • Next message: khaalel: "[VulnWatch] The first open source spyware"

    Relevant Pages