tag:blogger.com,1999:blog-5783873584893336688.post8057650908536262107..comments2023-06-02T10:27:43.172-07:00Comments on vtty: CVE-2011-3230 - Launch any file path from web pageaaronhttp://www.blogger.com/profile/13938049864104760764noreply@blogger.comBlogger15125tag:blogger.com,1999:blog-5783873584893336688.post-56248659841522961672011-10-16T10:56:27.718-07:002011-10-16T10:56:27.718-07:00Side note: if you found something affected by this...Side note: if you found something affected by this on Linux, it isn't this bug and you have found a new bug. Funnily enough, those fake pages with views of your local system invoked by a remote page were probably more dangerous than those folks realized, and is probably why it no longer worksaaronhttps://www.blogger.com/profile/13938049864104760764noreply@blogger.comtag:blogger.com,1999:blog-5783873584893336688.post-61426823473658679642011-10-16T10:49:05.033-07:002011-10-16T10:49:05.033-07:00Sorry if my PoC was unclear, but the point of putt...Sorry if my PoC was unclear, but the point of putting /etc/passwd was to harmlessly demonstrate the nature of the bug. That is, with this bug you can trigger launch services to launch local paths, which should be disallowed by browsers. Fooling people by displaying world readable file in /etc was not the goal, and Mac OS X doesn't use this anymore for user accounts. The outcome depends on the file type bindings on your system. Ex: MachO binaries are handled by Terminal.app, so they run. Apple has a growing list of unsafe types known to LS, which are the only ones blocked, and then only if pushed to the user by a Quarantined application and never before opened (which clears Quarantine). aaronhttps://www.blogger.com/profile/13938049864104760764noreply@blogger.comtag:blogger.com,1999:blog-5783873584893336688.post-45644608823973222082011-10-16T09:46:09.120-07:002011-10-16T09:46:09.120-07:00wohoo, passwd visible in linux! even other *import...wohoo, passwd visible in linux! even other *important* files in /etc are readable!<br />chmod o-r... result: no login possible..tsssaah!! ^^<br />indeed, "feature richness"<br /><br />time to implement some stuff like SELinux @ my systemSsSzz... but for sure - my home is safe until now! *puuh* xD<br /><br />nice burst, just droppin a few lines of code & see files you never thought... remember the time, when IE5 shows your HDD content -> your pc is not safe, "we non-hackerz" 0wn3d you - almost the same... ^^<br /><br />anybody checked something like <br /><br />mkdir -p /tmp/\ /\ /; echo "echo "try to run some dirt code in your secure non-noexec mounted /tmp *ggg*"" > /tmp/\ /\ /haha.sh; chmod +x /tmp/\ /\ /haha.sh;sh /tmp/\ /\ /haha.sh;mount<br /><br />or an easy one, just havin fun with database credentials...<br /><br />/var/www/blog/wp-config.php <br /><br />for sure, you will never end up surfin on your vserver machine, but hey... o_O<br /><br />aaron, thx for this simple, but feature-rich advice!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5783873584893336688.post-26201809891929907752011-10-14T23:08:06.590-07:002011-10-14T23:08:06.590-07:00awesome find Aaron!!awesome find Aaron!!Ilja van Sprundelhttps://www.blogger.com/profile/14902364964802746261noreply@blogger.comtag:blogger.com,1999:blog-5783873584893336688.post-68616257264643208112011-10-13T15:09:35.892-07:002011-10-13T15:09:35.892-07:00I have no idea what that means, so I will assume n...I have no idea what that means, so I will assume never.aaronhttps://www.blogger.com/profile/13938049864104760764noreply@blogger.comtag:blogger.com,1999:blog-5783873584893336688.post-21093362077486843462011-10-13T14:54:02.383-07:002011-10-13T14:54:02.383-07:00Great! When is this to be included in IE?Great! When is this to be included in IE?CrisisMavenhttp://crisismaven.wordpress.comnoreply@blogger.comtag:blogger.com,1999:blog-5783873584893336688.post-5681561852566968752011-10-13T12:46:08.045-07:002011-10-13T12:46:08.045-07:00Chrome on MacOS warns with:
Not allowed to load l...Chrome on MacOS warns with:<br /><br />Not allowed to load local resource: file:///etc/passwd<br /><br />and so does Firefox:<br /><br />Security Error: Content at http://www.example.com/cve-2011-3230.html may not load or link to file:///etc/passwd.<br /><br />Great find!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5783873584893336688.post-44405273294180244532011-10-13T09:14:43.608-07:002011-10-13T09:14:43.608-07:00It's not a bug - It's a feature!It's not a bug - It's a feature!Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5783873584893336688.post-90259497385948975362011-10-13T00:46:34.349-07:002011-10-13T00:46:34.349-07:00This issue was fixed in Apple's update today. ...This issue was fixed in Apple's update today. This does not affect Safari 5.1.1.aaronhttps://www.blogger.com/profile/13938049864104760764noreply@blogger.comtag:blogger.com,1999:blog-5783873584893336688.post-45176359300554387742011-10-13T00:37:57.711-07:002011-10-13T00:37:57.711-07:00does this affect Safari 5.1 or 5.1.1??? I am worr...does this affect Safari 5.1 or 5.1.1??? I am worried ...should I update to 5.1.1 which was released tonite?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-5783873584893336688.post-34858082195394835952011-10-12T18:25:28.509-07:002011-10-12T18:25:28.509-07:00As far as I know this only affects Safari on Mac O...As far as I know this only affects Safari on Mac OS X.aaronhttps://www.blogger.com/profile/13938049864104760764noreply@blogger.comtag:blogger.com,1999:blog-5783873584893336688.post-25649351511935898302011-10-12T18:24:27.589-07:002011-10-12T18:24:27.589-07:00Does this only apply to Safari or also to other We...Does this only apply to Safari or also to other WebKit based browsers (Like Chrome)?Mathias Panzenböck (panzi)https://www.blogger.com/profile/08100890214025847730noreply@blogger.comtag:blogger.com,1999:blog-5783873584893336688.post-89788793390532111462011-10-12T18:21:57.357-07:002011-10-12T18:21:57.357-07:00Since the URL is just sent off to LaunchServices y...Since the URL is just sent off to LaunchServices you cannot actually do a curl -O, but what you can do is push a file type that LaunchServices does not think is "unsafe", or use an absolute path that is not Quarantined, or a number of other creative things.aaronhttps://www.blogger.com/profile/13938049864104760764noreply@blogger.comtag:blogger.com,1999:blog-5783873584893336688.post-63672855115584156502011-10-12T18:18:47.891-07:002011-10-12T18:18:47.891-07:00It's worth noting that anyone taking advantage...It's worth noting that anyone taking advantage of this vulnerability can arbitrarily run curl -O to download any 3rd party binaries to the computer, circumventing the sandbox.Thinglet Softwarehttp://thinglet.comnoreply@blogger.comtag:blogger.com,1999:blog-5783873584893336688.post-78352441733580767662011-10-12T15:02:19.694-07:002011-10-12T15:02:19.694-07:00You're my hero!You're my hero!cykychttps://www.blogger.com/profile/06576743033720064723noreply@blogger.com