Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24705
HistorySep 12, 2010 - 12:00 a.m.

ACROS Security: Remote Binary Planting in Apple Safari for Windows (ASPR #2010-09-08-1)

2010-09-1200:00:00
vulners.com
18

=====[BEGIN-ACROS-REPORT]=====

PUBLIC

=========================================================================
ACROS Security Problem Report #2010-09-08-1

ASPR #2010-09-08-1: Remote Binary Planting in Apple Safari for Windows

Document ID: ASPR #2010-09-08-1-PUB
Vendor: Apple, Inc. (http://www.apple.com)
Target: Apple Safari for Windows
Impact: Remote execution of arbitrary code
Severity: Very high
Status: Official patch available, workarounds available
Discovered by: Simon Raner of ACROS Security

Current version
http://www.acrossecurity.com/aspr/ASPR-2010-09-08-1-PUB.txt

TEST YOUR COMPUTER'S EXPOSURE TO BINARY PLANTING NOW!
http://www.binaryplanting.com/test.htm
THE BINARY PLANTING RESEARCH REVEALED
http://blog.acrossecurity.com

Summary

A "binary planting" [1] vulnerability in Apple Safari for Windows allows
local or remote (even Internet-based) attackers to deploy and execute
malicious code on Windows machines in the context of logged-on users.

Product Coverage

  • Apple Safari 5.0.1 (7533.17.8) for Windows (at least XP, Vista and
    Windows 7)
  • Apple Safari 4.0.5 (531.22.7) for Windows (at least XP, Vista and
    Windows 7)

Note: We only tested the above versions; other versions may also be
affected.

Analysis

As a result of an incorrect process launching in Apple Safari for Windows,
an attacker can cause her malicious EXE [1] to be loaded and executed from
local drives, remote Windows shares, and even shares located on Internet.

What a remote attacker has to do is plant a malicious explorer.exe on a
network share and get the user to open an HTML file from this network
location with Safari - which should require minimal social engineering.
Then, when the user tries to open one of his downloaded files in the
containing folder (e.g., menu: Window -> Downloads -> right-click on a
file -> Show Containing Folder), the malicious explorer.exe is launched
instead of the legitimate one.

Alternatively, if the HTML file opens (or redirects to) any "file://"
location, Safari's attempt to launch Windows Explorer will result in
launching the malicious explorer.exe.

Since Windows systems by default have the Web Client service running -
which makes remote network shares accessible via WebDAV -, the malicious
EXE can also be deployed from an Internet-based network share as long as
the intermediate firewalls allow outbound HTTP traffic to the Internet.

Microsoft's CWDIllegalInDllSearch protection tool [2] DOES NOT protect
against this attack, as it only affects the way libraries (DLLs) are
loaded, whereas this is a case of launching an executable (EXE).

More information on binary planting:

Mitigating Factors

  • A firewall blocking outbound WebDAV traffic (in addition to blocking all
    Windows Networking protocols) could stop an Internet-based attack.

  • In case of an Internet-based remote attack, Windows can display a "Open
    File - Security Warning" dialog to the user as part of the Windows
    "defense in depth" mechanism. Our experience in penetration tests shows,
    however, that users are likely to okay such warnings when they appear to
    be coming from a trusted application (in this case, Safari).

Solution

Apple has issued a security bulletin [3] and published remediated
versions of Safari for Windows that fix this issue.

Workaround

  • Stopping the Web Client service could stop Internet-based attacks as
    long as the network firewall stops outbound Microsoft Networking
    protocols. This would not, however, stop remote LAN-based attacks where
    the attacker is able to place a malicious DLL on a network share inside
    the target (e.g., corporate) network.

Other workarounds are commercially available to interested corporate and
government customers under NDA.

Related Services

ACROS is offering professional consulting on this issue to interested
corporate and government customers. Typical questions we can help you
answer are:

1) To what extent is your organization affected by this issue?

2) Is it possible to get remote code from the Internet launched inside
your network? Can this be demonstrated?

3) Have you adequately applied the remedies to remove the vulnerability?

4) Are there other workarounds that you could implement to fix this issue
more efficiently and/or inexpensively?

5) Are your systems or applications vulnerable to other similar issues?

Interested parties are encouraged to ask for more information at
[email protected].

References

[1] Binary Planting Goes "EXE"
http://blog.acrossecurity.com/2010/09/binary-planting-goes-exe.html

[2] Microsoft's CWDIllegalInDllSearch protection tool
http://support.microsoft.com/kb/2264107

[3] About the security content of Safari 5.0.2 and Safari 4.1.2
http://support.apple.com/kb/HT4333

Acknowledgments

/

Contact

ACROS d.o.o.
Makedonska ulica 113
SI - 2000 Maribor

e-mail: [email protected]
web: http://www.acrossecurity.com
phone: +386 2 3000 280
fax: +386 2 3000 282

ACROS Security PGP Key
http://www.acrossecurity.com/pgpkey.asc
[Fingerprint: FE9E 0CFB CE41 36B0 4720 C4F1 38A3 F7DD]

ACROS Security Advisories
http://www.acrossecurity.com/advisories.htm

ACROS Security Papers
http://www.acrossecurity.com/papers.htm

ASPR Notification and Publishing Policy
http://www.acrossecurity.com/asprNotificationAndPublishingPolicy.htm

Disclaimer

The content of this report is purely informational and meant only for the
purpose of education and protection. ACROS d.o.o. shall in no event be
liable for any damage whatsoever, direct or implied, arising from use or
spread of this information. All identifiers (hostnames, IP addresses,
company names, individual names etc.) used in examples and demonstrations
are used only for explanatory purposes and have no connection with any
real host, company or individual. In no event should it be assumed that
use of these names means specific hosts, companies or individuals are
vulnerable to any attacks nor does it mean that they consent to being used
in any vulnerability tests. The use of information in this report is
entirely at user's risk.

Revision History

September 8, 2010: Initial release

Copyright

(c) 2010 ACROS d.o.o. Forwarding and publishing of this document is
permitted providing the content between "[BEGIN-ACROS-REPORT]" and
"[END-ACROS-REPORT]" marks remains unchanged.

=====[END-ACROS-REPORT]=====