Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] AppleWebKit XMLHttpRequest Arbitrary File Disclosure

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] AppleWebKit XMLHttpRequest Arbitrary File Disclosure
Date: 20 Apr 2005 12:07:32 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  AppleWebKit XMLHttpRequest Arbitrary File Disclosure
------------------------------------------------------------------------


SUMMARY

XMLHttpRequest is "a JavaScript component that allows scripts to perform 
http queries and read their result".

A vulnerability in the AppleWebKit allows a remote attacker to read files 
with known path names on a user's system. The vulnerability also allows 
the attacker to bypass the restriction that XMLHttpRequests may only be 
made to the server hosting the original document. There is a potential for 
other types of disclosure due to the attacker's opportunity to run any 
code from a local file.

DETAILS

Vulnerable Systems:
 * Apple Safari version 1.2+
 * Apple Safari RSS version 2.0 pre-release
 * OmniGroup OmniWeb version 5.1+
 * Shiira version 0.93

Immune Systems:
 * Mozilla Firefox version 1.0
 * Konqueror version 3.3
 * OmniWeb All versions that does not support Javascript
 * Apple Safari 1.2 and prior
 * OmniGroup OmniWeb version 5.0.x
 * Freeverse BumperCar version 1.0

The attack requires that attacker will have the ability to place an HTML 
file on the victim's system and predict its path. By exploiting 
AppleWebKit's special treatment of XMLHttpRequest when running from a 
file: document, the attacker can gain read access to any file on the 
system with a known path that the user running the browser has access to.

The automatic mounting of disk images performed by default by Safari and 
OmniWeb provides the attacker with an easy way to get the local file onto  
the user's system. Other approaches exist, such as predicting the path to 
the user's download directory, using an afp:// or ftp:// URL to mount a 
remote unit and access it using file:///Volumes/resource/.

Example:
A benign demonstration of the vulnerability is provided at the following 
URL:

 <http://remahl.se/david/vuln/001/demo.html> 
http://remahl.se/david/vuln/001/demo.html

The demonstration downloads and mounts a disk image when a link is 
clicked.  It then redirects an IFRAME to the predicted  path of the 
exploit document. The document is also available over HTTP for 
completeness. A real  attacker would be able to make the attack a lot more 
stealthy.

Alternative possibilities of getting a file with a know path onto the 
victim's system are discussed on the in-depth discussion page.

Vendor Status:
For Safari, update to 10.3.9 using software update. See  
<http://docs.info.apple.com/article.html?artnum=300966> 
http://docs.info.apple.com/article.html?artnum=300966 and  
<http://docs.info.apple.com/article.html?artnum=301327> 
http://docs.info.apple.com/article.html?artnum=301327 for more 
information.

CVE Information:
 <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0976> 
CAN-2005-0976

Disclosure Timeline:
2005-02-14, 06:25 UTC: Responded that investigation is under-way. Does not 
disclose, discuss or confirm issues until a full investigation has been 
completed and patches are available.
2005-03-16, 22:04 UTC: Reported that the issue would be fixed in a future 
security update.
2005-03-17: Confirmed that the issue would be fixed in the May security 
update (2005-005).
2005-04-15, 00:41 UTC: Reported that the issue is addressed in the 10.3.9 
update  that was due to be released in two hours.


ADDITIONAL INFORMATION

The information has been provided by  <mailto:vuln@remahl.se> David 
Remahl.
The original article can be found at:  <http://remahl.se/david/vuln/001/> 
http://remahl.se/david/vuln/001/



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] AppleWebKit XMLHttpRequest Arbitrary File Disclosure, SecuriTeam <=
Previous by Date:  [EXPL] Microsoft Exchange X-LINK2STATE Heap Overflow PoC (MS05-021), SecuriTeam
Next by Date:  [NT] DameWare NT Utilities Information Disclosure, SecuriTeam
Previous by Thread:  [EXPL] Microsoft Exchange X-LINK2STATE Heap Overflow PoC (MS05-021), SecuriTeam
Next by Thread:  [NT] DameWare NT Utilities Information Disclosure, SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]