exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Apple Safari Directory Traversal

Apple Safari Directory Traversal
Posted Oct 15, 2011
Authored by Aaron Sigel

Apple Safari versions 5.0 and later on Mac OS and Windows are vulnerable to a directory traversal issue with the handling of "safari-extension://" URLs. Attackers can create malicious websites that trigger Safari to send files from the victim's system to the attacker. Arbitrary Javascript can be executed in the web context of the Safari extension.

tags | exploit, web, arbitrary, javascript
systems | windows, apple
advisories | CVE-2011-3229
SHA-256 | f206473f38c0933286bdc00fd667750becd015dc4db7e86a307c3b55344dc453

Apple Safari Directory Traversal

Change Mirror Download
CVE: CVE-2011-3229
Found by: Aaron Sigel of vtty.com

Summary:

Safari is vulnerable to a directory traversal issue with the handling of "safari-extension://" URLs.
Attackers can create malicious websites that trigger Safari to send files from the victim's system to the attacker.
Arbitrary Javascript can be executed in the web context of the Safari extension.

Affected Versions:

Safari 5.0 and later on Mac OS X and Windows

Details:

First, Apple's description of Safari Extensions:

"Safari Extensions are a great way for you to add new features to Safari. Built by developers, Safari Extensions use the latest HTML5, CSS3, and Javascript web technologies. And they’re digitally signed and sandboxed for improved security. You can install extensions with one click — no need to restart Safari."
-- https://extensions.apple.com

Another quote from Apple's Developer documentation on what scripts can do:

"Your injected scripts can access resources—images, HTML, and other scripts, for example—within your extension folder. Relative URLs are relative to the webpage your script is injected into, however. If you need to access local resources, use safari.extension.baseURI + “relative path and filename”. You cannot access resources on the user’s hard drive outside of the extensions folder."
-- https://developer.apple.com/library/safari/#documentation/Tools/Conceptual/SafariExtensionGuide/InjectingScripts/InjectingScripts.html

Safari Extensions access their internal resources (images, scripts, etc) by prepending filenames with the value of safari.extension.baseURI, which is a dynamic path that changes every time Safari loads the extension.  The format of full safari-extension URLs is:

safari-extension://name-of-extension-[version_specific_string]/[dynamic_value]/path-to-file

Due to a directory traversal vulnerability in the handling of these URLs, any file readable by Safari's sandbox can be accessed by attackers.  In these URLs, the only component that is not generally known to attackers is the dynamic value.  The dynamic value is a 32bit number represented as a lowercase hex string.  While there are attacks that could attempt to guess this value, more effective routes to exploit this issue have been found.

These URLs may be used by content injected into web pages, exposing the dynamic value by reading the DOM.  The method and exploitability depends on the code in the extension, but proof of concepts have been generated that work against the 1Password, ClickToFlash, and several other extensions.  This should not be considered a security vulnerability in those extensions.  They are following the guidelines provided by Apple for what should be a safe operation.

The vulnerability here is that safari-extension URLs, with the help of directory traversal, have the ability to access local resources anywhere the system will allow the process to read.

Exploiting this bug:

The steps I used to exploit this bug are:

1.  Find the dynamic part of the safari-extension URL
2.  Find a way to access my payload from inside the Safari sandbox
3.  Load my payload, and use it to execute the Javascript in the context of the extension
4.  This Javascript access any file accessible to the extension, or access resources available to the extension (think Javascript accessible databases).

Some details of how my proof of concept accomplishes this:

The first step in exploiting this issue is to obtain the 32bit id.  For 1Password's extension I accomplished this with a Javascript that causes it to inject an iframe into the current page.  The src attribute is readable via document.getElementById().getAttribute("src"), which contains this value.

Once the attacker has this value, arbitrary paths to files readable by Safari's sandbox are reachable.  Additionally useful to the attacker is that no usernames have to be guessed in order to access files in the user's home directory.  This is because paths to files in the URL are relative to:

~/Library/Caches/com.apple.Safari/Extensions/[extension_name]/

Our goal is to start evaluating arbitrary Javascript with the privileges of the Safari Extension.  After watching how Safari downloads files, I found that Safari's sandbox'ed process pokes a hole in the sandbox to allow read access on files while they are being downloaded.  These are download bundles that have no unpredictable path components and are created in ~/Downloads.  This meant that loading the attacker's Javascript was as simple as pushing a file download to Safari (Insert shout out to Nitesh Dhanjani whose Safari Carpet bombing technique still works in Lion and fully patched version of Safari) and loading it in an iframe.  To make sure I could access the file while it was being downloaded, I just made a large file.  At a couple of megabytes, the temporary download bundle reliably existed when and where I needed it to.

At this point the Javascript included in the download executed in the safari-extension zone.

What can be done on Mac OS X:

* Execution of arbitrary Javascript in the web context of installed extensions, which includes,
* Access to the safari object in the web content, exposing the SafariContent classes
* Full SQL access to extensions' client-side databases
* Access to any files that WebProcess.app, Safari's sandboxed process can read, which includes, 
* Files opened by Safari during this process's life
* Local files in loaded extensions
* Other files being downloaded by Safari
* Safari's Cache database
* Safari's Local Storage databases
* Safari's HTML5 Offline Applications
* User Keychain files
* Quarantined application event logs
* DYLD shared cache/maps

What can be done on Windows:

Apple's Safari Extensions website claims that they are sandboxed.  This was verified when accessing the site with Safari for both Mac OS X and Windows 7.  However unlike Mac OS X, successful exploitation on Windows can access files wherever the user can read.  It seems that sandboxing is either not implemented for Safari on Windows 7 or that the sandboxing does not limit file reading.  

What this means:

* On Mac OS X, Safari's sandbox still allows access to a bunch of sensitive and useful data
* On Windows, sandboxing does not limit the files accessible to the attacker (if sandboxing occurs at all)
* Sandbox limits the badness that can be done with Safari exploits on Mac OS X.  Hopefully Safari will adopt more process separation to further limit the damage possible from vulnerabilities.

Shout outs:

cstone, cykyc, Nitesh Dhanjani, jduck, KF

References:

* Apple's advisory:
https://support.apple.com/kb/HT5000

* Previous Safari file stealing vulnerability, Safari ErrorJacking:
https://vttynotes.blogspot.com/2011/03/safari-errorjacking-cve-2011-0167.html

* Apple's documentation on accessing resources inside Safari Extensions:
https://developer.apple.com/library/safari/#documentation/Tools/Conceptual/SafariExtensionGuide/AccessingResourcesWithinYourExtensionFolder/AccessingResourcesWithinYourExtensionFolder.html
Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close