Mac OS X Help URI Handler Arbitrary Script Execution

Posted by deepquest on May 18, 2004 – 3:02 pm

lixlpixel has reported a vulnerability in Mac OS X, potentially allowing malicious web sites to compromise a vulnerable system.

The problem is that the “help” URI handler allows execution of arbitrary local scripts (.scpt) via the classic directory traversal character sequence using “help:runscript”.

It is reportedly possible to place arbitrary files in a known location, including script files, on a user’s system if the Safari browser has been configured to (“Open “safe” files after download”) (default behaviour) by asking a user to download a “.dmg” (disk image) file.

This has been confirmed on Macintosh OS X using Safari 1.2.1 (v125.1) and Internet Explorer 5.2.
Uncheck (“Open “safe” files after download”) in “Safari -> Preferences -> General”.

Do not surf the Internet as a privileged user.

Rename the help URI handler.

Provided and/or discovered by: lixlpixel

Proof of Concept: copy/paste “help://cat /etc/passwd” in the address bar

This is a harmless POC that will launch the help and dump the passwd file.

This post is under “Apple” and has no respond so far.
If you enjoy this article, make sure you subscribe to my RSS Feed.

Post a reply

You must be logged in to post a comment.

« Mac under fake Word 2004 attack MS UK 0wn3d by hackers. (Again) »

:: Deepquest ::

This site contains information which could be considered illegal in some countries. It is provided here for educational use only and is not intended to be used for illegal activities.

Mac OS X Help URI Handler Arbitrary Script Execution

Post a reply

Tabs Switcher

Categories

Archives

Meta

BLOGROLL