Security: Safari and Auto-Execute shell scripts
OK this is interesting.
I tried the proof-of-concept (see below) and this is for sure a real security hole in Safari.
Basically, clicking on a website link downloads a zip file that contains a shell script missing the "shebang" line ("#!") that Safari looks for to determine if a file "contains an application". The shell script has its file extension changed to ".jpg", but somehow Mac OS X passes the file to the Terminal.app to be executed. This is supposedly done by another file that determines the app to pass a file to.
1. You must have "Open "Safe" files after downloading" checked in Safari's General Preferences (this is checked by default in Safari).
2. Read the story at the link below and find the place where there is a link to demonstrate the exploit (this is non-destructive; it only lists files in the Terminal)
3. Check Get Info on the "Heise.jpg" file and you will see that it is set to open in Terminal.app.
4. Check the "Heise.jpg" file in Terminal and you will see that it has the Execute bit set.
Here is the story:
http://www.heise.de/english/newsticker/news/69862
(Click the link labeled "this online demonstration" near the bottom of the story. You will be shocked at what happens.)
Now can anybody explain to me where this "other file" that supposedly is in the zip archive is? I cannot find it.
I tried the proof-of-concept (see below) and this is for sure a real security hole in Safari.
Basically, clicking on a website link downloads a zip file that contains a shell script missing the "shebang" line ("#!") that Safari looks for to determine if a file "contains an application". The shell script has its file extension changed to ".jpg", but somehow Mac OS X passes the file to the Terminal.app to be executed. This is supposedly done by another file that determines the app to pass a file to.
1. You must have "Open "Safe" files after downloading" checked in Safari's General Preferences (this is checked by default in Safari).
2. Read the story at the link below and find the place where there is a link to demonstrate the exploit (this is non-destructive; it only lists files in the Terminal)
3. Check Get Info on the "Heise.jpg" file and you will see that it is set to open in Terminal.app.
4. Check the "Heise.jpg" file in Terminal and you will see that it has the Execute bit set.
Here is the story:
http://www.heise.de/english/newsticker/news/69862
(Click the link labeled "this online demonstration" near the bottom of the story. You will be shocked at what happens.)
Now can anybody explain to me where this "other file" that supposedly is in the zip archive is? I cannot find it.
Comments
Originally posted by TednDi
So, if we uncheck "open safe files after downloading" are we secure?
Yes.
The issue is, however, how did this file get Terminal.app assigned to it? That is the real security issue.
Originally posted by lundy
Yes.
The issue is, however, how did this file get Terminal.app assigned to it? That is the real security issue.
However, take note that if you uncheck that box, you will get a zip file on the desktop. If you double-click that file to unzip it, you get a "Heise.jpg" file. THEN, if you double-click that to see the picture, you are fucked.
Originally posted by lundy
The issue is, however, how did this file get Terminal.app assigned to it? That is the real security issue.
It seems that the issue lies in the fact that Safari doesn't really care what the OS does with a file after it's been deemed safe to be opened upon completion of the download. Safari simply decides wether or not a file is "safe" and if it finds it is safe then it will run it, regardless of wether it is an executable or an image. What happened here is it seems they've managed to trick safari into thinking the file is an image or a movie, and therefore, safe to open.
Originally posted by akheron01
It seems that the issue lies in the fact that Safari doesn't really care what the OS does with a file after it's been deemed safe to be opened upon completion of the download. Safari simply decides wether or not a file is "safe" and if it finds it is safe then it will run it, regardless of wether it is an executable or an image. What happened here is it seems they've managed to trick safari into thinking the file is an image or a movie, and therefore, safe to open.
Yes, but somehow the associated application gets set to "Terminal.app". This is the part I am still trying to figure out.
Now if you make a text file, and right-click and tell it to open in Terminal, it will open a shell and execute it. That is nothing new. The question is how the file has an extension of ".jpg" and yet still has Terminal assigned to open it.
Also, if you change the file extension of any text file to ".command", it will also cause it to open in Terminal when it is double-clicked. That isn't the case here though.
I am going to try and analyze the zip file with some BSD utilities and see what I can find. The paper refers to "another file" that sets the associated app.
Well heck we always are clamering for more apps!
Does this mean Macs are now main steam!
Thanks, I'll be here all week!
Originally posted by lundy
Yes, but somehow the associated application gets set to "Terminal.app". This is the part I am still trying to figure out.
Not sure why a .jpeg is being launced with Terminal.app but I think the OS should be given a warning that it's trying to run a bash script without the shebang line. I know it's nagware, but if the file did have the shebang line we would of got nagged anyway - so there is no reason not to do it in this case.
I know it's not fail safe, but OS X assumption that a text file that has no shebang line is 'secure' to run in Terminal.app is rediculous.
Is the other file you're talking about a resource fork? like the mysteriously hidden . files?
Originally posted by wgauvin
Not sure why a .jpeg is being launced with Terminal.app but I think the OS should be given a warning that it's trying to run a bash script without the shebang line. I know it's nagware, but if the file did have the shebang line we would of got nagged anyway - so there is no reason not to do it in this case.
I know it's not fail safe, but OS X assumption that a text file that has no shebang line is 'secure' to run in Terminal.app is rediculous.
Is the other file you're talking about a resource fork? like the mysteriously hidden . files?
I looked at the zip archive - it unzips into the actual shell script "Heise.jpg", and a directory named "__MACOSX", which contains a file called "._Heise.jpg".
The contents of the hidden file "._Helse.jpg" are as follows:
2 2%/Applications/Utilities/Terminal.app??????????
???????????????????????????
?????????????????????????????????????????????????? ?
??????????????????
????????????????????? ???????????????????
?????????????????????????????????????????????????? ??????????????????? ???????????
?????????????????
???????????????????????
?????????????????????????????????????? ?????????????????????????????????????????????????? ??????????
???????????????????******2_??2usro
Bingo. There is the "Terminal.app" information to the Finder. Note that the path is hard-coded.
I will have to test it, but I THINK the way this was done was to set the file's associated application on the sender's machine with Get Info, then set the file extension to bogus (".jpg"), and then zip and send it.
Apple will have this fixed in a jiffy. That shell script in the demo just lists files as a proof of concept, but it could easily have done a
cd ~
rm -rf *
Originally posted by lundy
I looked at the zip archive - it unzips into the actual shell script "Heise.jpg", and a directory named "__MACOSX", which contains a file called "._Heise.jpg".
care to share how you unzipped the archive to reveal more than just 'Heise.jpg'? i can't seem to find the directory you mentioned in your post.
edit: got it
It was posted in a related topic in Applications. Apparently when Safari asks OS X if the file is safe, OS X doesn't check to see if there is a hard-coded application to open this file. It just looks at the user-specific 'open all JPG files with' definition or the global 'open all JPG with' application.
Originally posted by lundy
Yes.
The issue is, however, how did this file get Terminal.app assigned to it? That is the real security issue.
I tired to duplicate this using some old C programs I had left from a Comp Sci class. If you add .jpg to a terminal shell you get the little warning saying it may not be the right kind of file. If you ignore that and then have Terminal.app set to always open the file, it will indeed work. There isn't much too it. I kept getting the warnings that I might not be able to open it with Terminal, but it does, and my programs run just fine ... except they're marked as jpegs ... extension, icon and all...
Cheers
the whole issue isn't about safari or mail, it's the way the os decides which application to choose to open certain files.
I think I can make a launchd LaunchAgent that will monitor the downloads folder and strip all "usro" resources from any file that gets placed there.
1) make sure the icon in Finder is that of the application that will run that file, not the file type. Such a visual effect should make people a suspicous, especially the more security savvy users.
2) Always warn the user that they're about to launch Terminal application and run a potentially harmful script. Scripts are powerful, but a script that gets root access can do serious harm, and even a user level script can do harm like deleting a user's directory.
3) Perhaps add a warning per file that is shown if the 'Open With' overrides the creator code and/or file type default application. This warning could be set up to be shown once or all the time.
I think Apple must bite the bullet on nagging users, it's annoying but it makes users aware they're about to do something that's not what the OS was expecting it to do.
Originally posted by lundy
Sounds like they need to stop consulting the usro resource on downloaded files. Even better, strip that resource if it is present in a downloaded file.
I think I can make a launchd LaunchAgent that will monitor the downloads folder and strip all "usro" resources from any file that gets placed there.
Someone mentioned elsewhere that this problem exists via Mail too. So that file won't end up in your Download directory. Also the file downloaded is a zip file, that Safari is automatically unzipping, but the problem can still occur later if I open that zip file and then open the 'jpg' inside.
They need to do a few things that make users more aware they're about to do something unexpected to what the OS would usually do.
Originally posted by r3dx0r
care to share how you unzipped the archive to reveal more than just 'Heise.jpg'? i can't seem to find the directory you mentioned in your post.
edit: got it
I couldn't see the hidden directory until I unzip'ed the archive on my Linux box. How do you see it on OSX? It seems to be hidden even in the Terminal.
Originally posted by r3dx0r
it's not hidden for me. unzipping in terminal.app using 'unzip Heise.jpg.zip' reveals both the malicious jpg and the directory.
Dual-G5:~/Desktop lundy$ unzip Heise.jpg.zip
Archive: Heise.jpg.zip
inflating: Heise.jpg
creating: __MACOSX/
inflating: __MACOSX/._Heise.jpg
Dual-G5:~/Desktop lundy$ cat Heise.jpg
/bin/ls -al
echo
echo
echo "heise Security: Sie sind verwundbar."
echo
echo
Dual-G5:~/Desktop lundy$ lsla
total 256
drwx------ 12 lundy lundy 408 Feb 23 23:06 .
drwxr-xr-x 25 lundy lundy 850 Feb 10 11:52 ..
-rw-r--r-- 1 lundy lundy 43012 Feb 23 23:06 .DS_Store
-rw-r--r-- 1 lundy lundy 0 Feb 3 2004 .localized
-rwxr-xr-x 1 lundy lundy 1909 Feb 21 01:33 977.c
drwxr-xr-x 4 lundy lundy 136 Feb 2 22:04 AppleScript Users Digest Messages
-rw-r--r-- 1 lundy lundy 2032 Feb 22 16:31 Documents < 5 days.savedSearch
-rwxr-xr-x 1 lundy wheel 13780 Feb 22 18:19 Drop to PDF.app
-rwxr-xr-x 1 lundy lundy 76 Feb 20 09:41 Heise.jpg
-rw-r--r-- 1 lundy lundy 682 Feb 20 11:39 Heise.jpg.zip
drwxrwxr-x 3 lundy lundy 102 Feb 20 09:41 __MACOSX
-rwxr-xr-x 1 lundy lundy 168 Feb 16 12:41 triggerscript.sh
Dual-G5:~/Desktop lundy$ cd __MACOSX/
Dual-G5:~/Desktop/__MACOSX lundy$ lsla
total 8
drwxrwxr-x 3 lundy lundy 102 Feb 20 09:41 .
drwx------ 12 lundy lundy 408 Feb 23 23:06 ..
-rwxr-xr-x 1 lundy lundy 1420 Feb 20 09:41 ._Heise.jpg
Dual-G5:~/Desktop/__MACOSX lundy$ cat ._Heise.jpg
2 2%/Applications/Utilities/Terminal.app?????????????????????????????????
?????????????????????????????????????????????????? ??????????????????
?????????????????????????????????????????????????? ???????????????????????????
???
????????????????????????????????????????????
?????????????????????????????????????????????
?????????????????????????????????????????????????? ????????????????
??????????????????????????????????????????????**** **2_??2usro
Q.E.D.