Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: Safari on Windows - not looking good - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Safari on Windows - not looking good

Last month Mark posted a diary about a security issue for users using Safari on Windows. There has been a lot of discussion about this over the past few weeks. The issue is not a typical security vulnerability in a product, but a blended threat that is specific for Safari on Windows – a combined attack called "Safari Carpet Bomb".

Over the last weekend, a security researcher released proof of concept code that exploits this "feature" in Safari with another "feature" in Windows (yeah, a lot of "features" working together = a vulnerability).

The two "features" we're talking about here are these:

  1. In some cases, Internet Explorer will load DLLs from Desktop. This is an old "feature" that has been known since December 2006. It also works, as far as I'm aware, only with Internet Explorer 7 (and probably 8 beta) on Windows XP. My tests failed on Vista.
  2. Safari for Windows will, by default, save files on Desktop. This would not normally be a problem, but Safari does that without any prompts to the user (Firefox does the same, for example, but prompts the user before saving the file).

Now, when we combine these two vulnerabilities you get the following – a user visits a malicious web site with Safari. The web site causes Safari to automatically download the DLL file and store it on the desktop. The user now needs to open Internet Explorer from Desktop in order to automatically execute the DLL file. Keep in mind that the shortcut to Internet Explorer has to be on Desktop so the PATH environmental variable gets properly defined (it will make Internet Explorer search current directory for the DLL file).

Overall, the sky isn't falling, but in my opinion both Microsoft and Apple (Safari) should fix these "features". I don't see a reason why Internet Explorer would look for the DLL file in the current directory (this would effectively prevent this vulnerability). Apple should also fix Safari so it at least prompts the user before downloading the file. Apple already said that they don't consider this to be a security issue (which is partially correct), but since other browsers do this (at least Firefox and Internet Explorer), and it is good security practice, my humble opinion is that Apple should change this behavior.

Since the proof of concept is easily available, if you are using Safari on Windows please change the default download location as described in Microsoft's advisory available at http://www.microsoft.com/technet/security/advisory/953818.mspx.

--

Bojan

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Munich July 2019

Bojan

376 Posts
ISC Handler
After reading this, I am wondering what is stopping this from being valid for other browsers (or any other unknown exploit that could drop a .dll to a known IE launch location). It seems to me the real problem is that IE should not be searching the current directory for a .dll regardless of who put the .dll their. My two cents.
Anonymous
How is this a Safari problem? I view this as a design flaw in IE or Windows (can't really tell which because you can't have one without the other.) Give Microsoft's reluctance to fix their shoddy software, Apple will need to mitigate the risk by modifying their software, but it shouldn't need to. What software will blindly open a file and execute it simply based on its location and name without being directed to?
Anonymous
First off: IMO, writing files to a drive (any location) without asking the user is an error, regardless of OS. Exceptions are caches (browser and Flash), but they are written to randomized locations (after Thor Larholm pointed out the risk in 2003 see http://seclists.org/bugtraq/2003/Oct/0239.html ), Macromedia randomized the Flash cache location.

Apart from a dll on the desktop there are at least two other issues. Consider this file written to the desktop:

[InternetShortcut]
url=file:c:\windows\system32\calc.exe
Hotkey=13

After logging off and back on, pressing Enter will cause calc to start.

Another issue is with a file dropped on the desktop called isc.sans.org.lnk: if the user types isc.sans.org in the MSIE url-field, the shortcut will execute. AFAIK this was first mentioned by Roger A. Grimes here in 2006: http://www.infoworld.com/article/06/05/19/78413_21OPsecadvise_1.html
Erik van Straten

122 Posts
I forgot to mention: the last issue is fixed in IE7 (but not IE6). W.r.t. the url file above: it should consist of 3 lines (Sans converts Enter to space).
Erik van Straten

122 Posts

Sign Up for Free or Log In to start participating in the conversation!