|
|
How to avoid the new 'Help' URL handler vulnerability
This is more severe than the origional post explains - any shell command that has a standard path in OS X (read: all of them) can be executed this way. For a demo see:
http://bronosky.com/pub/AppleScript.htm
I prefer the solution found at this URL:
It just replaces the Applescript that helpviewer uses to launch files with a version that asks for confirmation. The code in both Applescripts is viewable (allaying security concerns), and it preserves the functionality of help viewer. Thanks to "MongoTheGeek" in the MacRumours forum for this solution.
How to avoid the new 'Help' URL handler vulnerability
I'm afraid that replacing the OpnApp.scpt file is not enough. Help Viewer can run any arbitrary AppleScript or shell command without referencing that script at all. OpnApp.scpt is only really necessary for opening a full-fledged application program or non-script file.
Someone can use one of the dmg-mounting techniques and then execute a script without invoking OpnApp.scpt at all: help:runscript=../../../Volumes/evil_disk/evil.scpt
How to avoid the new 'Help' URL handler vulnerability
I tried out the test page at http://bronosky.com/pub/AppleScript.htm and I just got an error message telling me that OSX doesn't know how to handle internet addresses begining with help. I used misfox to change the response to help anyway and it now definately opens the new application I pointed it to. So, I don't know what the story is.
How to avoid the new 'Help' URL handler vulnerability
I would like to chime in that modifying OpnApp.scpt does _not_ suffice.
Disclaimer: Try this at your own risk.
Don't be alarmed, I just wanted to make clear that everyone who tries out my exploit does so at his/her own risk. The exploit is designed to be absolutely non-destructive, but who knows what may happen on different systems.
Don't try this if you already have files called /sometestfile.txt and ~/sometestfile.html containing something important. They will not be overwritten, but data will be appended to them, which hypothetically can render them unusable. If you would like to take a peek into the applescript with scripteditor before trying the exploit to make sure it won't harm your system, the disk image is situated here:
http://www.schuderer.net/pub/dmgtest.dmg Here is the code of the contained script testme.scpt:
Paranoia galore! :) |
SearchFrom our Sponsor...Latest Mountain Lion HintsWhat's New:HintsNo new hintsComments last 2 daysNo new commentsLinks last 2 weeksNo recent new linksWhat's New in the Forums?
Hints by TopicNews from Macworld
From Our Sponsors |
|
Copyright © 2014 IDG Consumer & SMB (Privacy Policy) Contact Us All trademarks and copyrights on this page are owned by their respective owners. |
Visit other IDG sites: |
|
|
|
Created this page in 0.14 seconds |
|