Potential Safari/HelpViewer security vulnerability; AppleScript fix

Potential Safari/HelpViewer security vulnerability; AppleScript fix

Message boards have been buzzing over the weekend about a potential security flaw in Safari that can cause code to be unintentionally executed in a user's home directory.

In Safari's preferences, there is an option to "open 'safe' files after downloading." With this option checked, Safari will automatically mount download disk image (.dmg) files.

The problem arises when this automatic opening behavior is combined with Apple HelpViewer's ability to automatically run programs via the "help:" protocol. A maliciously intended help file could therefore locate and launch a threatening file from within the mounted disk image.

As such, a vulnerable link would be formatted as follows:

"help:runscript=MacHelp.help/Contents/Resources/ English.lproj/shrd/OpnApp.scpt string='Volumes: someMountedDMG:sometarget.app'"

MacFixIt reader Hugo Diaz wrote a script modification that will prevent this security exploit:

(* LEGAL DISCLAIMER: THIS FIX IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND and FOR INFORMATIONAL PURPOSES ONLY. *** USE AT YOUR OWN RISK ***

THIS SCRIPT MODIFICATION FIXES VULNERABILITY LINK FORMAT: help:runscript=MacHelp.help/Contents/Resources/English.lproj/shrd/OpnApp.scpt string='Volumes:someMountedDMG:sometarget.app'

SECURITY FIX for Help exploit via Safari: Should be implemented in the "OpnApp.scpt" file at file:///Library/Documentation/Help/MacHelp.help/Contents/Resources/English.lproj/shrd/

VERSION 0.1: last modified 5/15/04

REASON: In order to prevent a security exploit that can be used to open and execute a script using a downloaded '.dmg' image file within Safari, we check the "completeParam" parameter received by this script for the existence of the string "Volumes:"...

If that string exists in the path, then we warn the user and cancel the action. Otherwise this continues as normal.

NOTE: This script "OpnApp.scpt" exists on Mac OS X in all the localized folders of the path

file:///Library/Documentation/Help/MacHelp.help/Contents/Resources/XYZLanguage.lproj/shrd/

To complete this fix you can either...

a) change the names of other copies of this script in those other languages, or delete them, so that only this copy runs by default. or

b) modify the content in all the others too, localizing each for the appropriate language.

The easiest way to find all the relevant script files is to open... file:///Library/Documentation/Help/MacHelp.help/Contents/Resources/ and then type "OpnApp.scpt" in the Search box of that Finder window, using "Selection" as the search type from the search menu of that Finder window. There are 15 localized copies of the script in a standard Panther installation.

VULNERABILITY NOTE: For reasons unclear, the vulnerability only seems to trigger when the Help Viewer application is not currently running when the link is used, or when it is running but you have not used the "Help" menu within an application. This seems to happen regardless of whether or not you implement this fix.

For example, if you use the 'Safari>Help>Safari Help' menu item, then Help Viewer runs displaying the Safari Help page, and the vulnerability will not work after that unless you quit Help Viewer first. Same goes for using help from other Apps first. If the vulnerability does trigger, you can trigger it many times in succession, unless you select help in an App as described above, then it does not trigger anymore until you quit Help Viewer.

*) on «event helphdhp» (completeParam)
-- localizable text
set cancelBtn to "Cancel"
set errorText to "The item cannot be opened. It may be disabled or not installed."

set warningForSecurityExploit to "Help link cancelled.

Stopped an attempt to open a file via a Help link using 'Volumes' path.

Without this fix in place a known security vulnerability using malicious links within Safari could be exploited."

set ourSecurityExploitError to 750 -- some number we choose arbitrarily to signal the fix.

--end localizable text

try
tell application "Finder"

-- TEST for SECURITY EXPLOIT if completeParam contains "Volumes:" then -- Dangerous call may exploit Help security hole via Safari...
error number ourSecurityExploitError -- Trip an error signal, handled below in error section.
else
-- PASSED TEST, OK TO RUN AS NORMAL
open file completeParam of the startup disk
end if
end tell

on error errMsg number errNum
-- HANDLE OUR SECURITY ERROR
-- If we find our own error number, we warn about the potential security exploit.

if the errNum is equal to ourSecurityExploitError then
display dialog warningForSecurityExploit buttons {cancelBtn} default
button 1 with icon 0
return
else
-- NORMAL WARNING, some other error.
display dialog errorText buttons {cancelBtn} default button 1 with icon 0
return
end if
end try
end «event helphdhp»

Resources
  • More from Late-Breakers
  •  

    Join the discussion

    Conversation powered by Livefyre

    Show Comments Hide Comments