David Remahl
2005-05-03 20:05:22 UTC
I have published advisories for 4 security vulnerabilities in Mac OS
X that were addressed by Apple Security Update 2005-005, released
today. <http://docs.info.apple.com/article.html?artnum=301528>.
This email contains brief summaries of the problems. Full details can
be found on my web site <http://remahl.se/david/vuln/>.
Description: help: URI handler execution of JavaScripts with known
paths vulnerability
My name: DR004 <http://remahl.se/david/vuln/004/>
CVE: CAN-2005-1337 [yes, cool, isn't it ;-)]
Summary: The Help Viewer application allows JavaScript and is thus
vulnerable to having scripts with arbitrary paths run with the
privileges granted to file: protocol URIs. The files can be started
with a URI on the form of help:///path/to/file.html. Combined with
XMLHttpRequest's ability to disclose arbitrary files, this security
bug becomes critcal.
Description: Invisible characters in applescript: URL protocol
messaging vulnerability
My name: DR010 <http://remahl.se/david/vuln/010/>
CVE: CAN-2005-1331
Summary: URL Protocol Messaging is a technique used by Script Editor
to facilitate sharing of AppleScripts between users. By clicking a
link (for example in a web forum), a user can create a new Script
Editor document automatically, with text from the query string of the
URI. This avoids problems with copying text from the web or manually
typing code snippets. However, the technique can be used to trick
users into running dangerous code (with embedded control characters),
since insufficient input validation is performed.
Description: Apple Terminal insufficient input sanitation of x-man-
path: URIs vulnerability
My name: DR011 <http://remahl.se/david/vuln/011/>
CVE: CAN-2005-1342
Summary: Apple Terminal fails to properly sanitize the contents of x-
man-path: URIs passed to it. This can lead to execution of arbitrary
commands, aided by some of the escape sequences that Terminal supports.
Description: Mac OS X terminal emulators allow reading and writing of
window title through escape sequences
My name: DR012 <http://remahl.se/david/vuln/012/>
CVE: CAN-2005-1341
Summary: Apple Terminal (often referred to as Terminal.app) and xterm
which both ship with current versions of Mac OS X are vulnerable to a
well-known type of attack when displaying untrusted content. Using
escape sequences and social engineering attacks it is in some cases
possible to trick the user into performing arbitrary commands.
I would like to acknowledge the willingness of Apple's Product
Security team to cooperate with me in resolving these issues. CERT's
assistance has also been helpful.
/ Regards, David Remahl
X that were addressed by Apple Security Update 2005-005, released
today. <http://docs.info.apple.com/article.html?artnum=301528>.
This email contains brief summaries of the problems. Full details can
be found on my web site <http://remahl.se/david/vuln/>.
Description: help: URI handler execution of JavaScripts with known
paths vulnerability
My name: DR004 <http://remahl.se/david/vuln/004/>
CVE: CAN-2005-1337 [yes, cool, isn't it ;-)]
Summary: The Help Viewer application allows JavaScript and is thus
vulnerable to having scripts with arbitrary paths run with the
privileges granted to file: protocol URIs. The files can be started
with a URI on the form of help:///path/to/file.html. Combined with
XMLHttpRequest's ability to disclose arbitrary files, this security
bug becomes critcal.
Description: Invisible characters in applescript: URL protocol
messaging vulnerability
My name: DR010 <http://remahl.se/david/vuln/010/>
CVE: CAN-2005-1331
Summary: URL Protocol Messaging is a technique used by Script Editor
to facilitate sharing of AppleScripts between users. By clicking a
link (for example in a web forum), a user can create a new Script
Editor document automatically, with text from the query string of the
URI. This avoids problems with copying text from the web or manually
typing code snippets. However, the technique can be used to trick
users into running dangerous code (with embedded control characters),
since insufficient input validation is performed.
Description: Apple Terminal insufficient input sanitation of x-man-
path: URIs vulnerability
My name: DR011 <http://remahl.se/david/vuln/011/>
CVE: CAN-2005-1342
Summary: Apple Terminal fails to properly sanitize the contents of x-
man-path: URIs passed to it. This can lead to execution of arbitrary
commands, aided by some of the escape sequences that Terminal supports.
Description: Mac OS X terminal emulators allow reading and writing of
window title through escape sequences
My name: DR012 <http://remahl.se/david/vuln/012/>
CVE: CAN-2005-1341
Summary: Apple Terminal (often referred to as Terminal.app) and xterm
which both ship with current versions of Mac OS X are vulnerable to a
well-known type of attack when displaying untrusted content. Using
escape sequences and social engineering attacks it is in some cases
possible to trick the user into performing arbitrary commands.
I would like to acknowledge the willingness of Apple's Product
Security team to cooperate with me in resolving these issues. CERT's
assistance has also been helpful.
/ Regards, David Remahl