Apple Safari for Windows Protocol Handler Command Injection Vulnerability
TITLE: Apple Safari for Windows Protocol Handler Command Injection Vulnerability
CLASS: Input Validation Error
CVE: CVE-2007-3186
REMOTE: Yes
LOCAL: No
PUBLISHED: Jun 12 2007 12:00AM
UPDATE: Jun 14 2007 01:39PM
CREDIT: Thor Larholm discovered this vulnerability.
VULNERABLE:
Apple Safari For Windows 3 BetaNOT VULNERABLE:
Apple Safari 2.0.4
Apple Safari 2.0.3
Apple Safari 2.0.2
Apple Safari 2.0.1
Apple Safari 2.0
Apple Safari 3 Beta
Apple Safari For Windows 3.0.1 Beta
Vai alla pagina originale su Security Focus
Discussion
Apple Safari for Windows is prone to a protocol handler command-injection vulnerability.
Exploiting the issue allows remote attackers to pass arbitrary command-line arguments to any application that can be called through a protocol handler.
This specific vulnerability relies on the use of IFRAME elements; attackers can do even more damage by combining it with Mozilla XPCOM components.
Exploiting the issue would permit a remote attacker to influence command options that can be called through Safari protocol handlers and to compromise affected systems in the context of the vulnerable user.
This issue may be related to the vulnerability discussed in BID 10406 (Apple MacOS X SSH URI Handler Remote Code Execution Vulnerability). We will update this BID as more information emerges.
Note: Apple has released Safari for Windows Beta 3.0.1
Exploit
The following proof of concept demonstrates this vulnerability.
Solution
Solution:
Apple has released an updated version of the software that addresses this issue. Please see the vendor advisories for additional information.
Apple Safari For Windows 3 Beta
- Apple Apple Safari for Windows Beta 3.0.1
http://www.apple.com/safari/download/
References
References:
- Apple Safari for Windows 3 Beta (Apple)
- Safari for Windows, 0day URL protocol handler command injection (Thor Larholm)
- Safari for Windows, 0day exploit in 2 hours (Thor Larholm)