"Safari Automatically Executes Shell Scripts" vulnerability (zero-day exploit) [#3]: Protective methods, more
Originally posted February 23rd
We continue to provide updated information and attempt to eliminate some misconceptions about the "Safari Automatically Executes Shell Scripts" vulnerability we've been reporting on for the past few days.
To recap, this vulnerability has to do with the way Mac OS X handles its LaunchServices, and is a feat of social engineering rather than a representation of genuine security flaws in Mac OS X (not to say that Apple couldn't tighten Mac OS X's behavior to lessen the chances of malicious code executing through this method).
The vulnerability was only associated with the "Open safe files automatically" command because this is a likely vector for transfer of potentially malicious shell scripts, and could theoretically require no user interaction other than downloading a malicious file under certain circumstances.
However, even if the "Open safe files automatically" function is disabled, the file recipient can still be tricked into opening a malicious script. The problem, in essence, is that Mac OS X allows any item to carry a custom icon. So a shell script could appear to the user as a .jpg image, a movie or any other type of file. Upon double-clicking the seemingly innocuous files, a shell script is executed that can at most (without administrator privileges, which you should never have to enter when opening a document) delete local user files and wreak other account-constrained havoc.
It is also important to note that simply writing a shell script without a "shebang" line (which normally tells the Terminal which shell to use when opening a script), then giving it a false file extension such as .jpg and turning it into a zip archive will not make it execute automatically via the Terminal. The malicious file must also be given a resource fork that tells it explicitly to launch in the Terminal.
Protective method -- inspect files with Get Info As such, one of the best protective methods you can use (after turning off the option to open "safe" files automatically in Safari) is to inspect any newly obtained downloads before launching them.
Click on the newly received download once to select it, then press the Command and I keys simultaneously, or go to the "File" menu in the Finder and select "Get Info."
If the file carries the icon representation of an image or some other file, but shows a different "Kind" in the Get Info window, something isn't right. Avoid launching the file and follow up by obtaining information about the authenticity of the download source.
Apple should better define "safe" One salient point from this mostly hyperbolic "threat" is that Apple needs to better define just exactly what a "safe" file is. By focusing on closing the pores in LaunchServices, Apple can better ensure than any security lapse is due to user error rather than a blatant system-based vector.
Changing the Terminal name -- caveat We previously noted that one protective measure for this issue involves replacing the Terminal application with an automated script that asks for user permission before launching the Terminal.
As part of that measure, we noted that the Terminal itself should be renamed something like _Terminal.app. We should now note that a malicious user could simply target that name, and still gain access to the Terminal. As such, you should use random name you are comfortable with rather than the suggested _Terminal.app.
Note, however, that the automator script we linked to earlier will have to be modified to point to the Terminal name you have chosen.
Software-based protection A few new software-based protective methods have now hit the download market.
"Safe Terminal" is an input manger that disallows Terminal.app to execute any command and .term files, theoretically making it safe to use Safari "Open safe files after download" option.
The one problem with this workaround is that, after installing this utility, when opening Terminal.app, a new shell window will not automatically be opened. To create a new shell window, the user must choose "New" from the File menu or press the Command-N keyboard combination.
Saft Lite now includes a mechanism that can check a Safari download file's MIME types and in case it is executable. It can check for MIME types of image, audio, text, video and message. Upon finding a file with executable code, Saft will try to turn the executable flag off and warn you about it. Once Saft turns the executable flag of the file off, any attempts to open the file in the Finder won't trigger the file to launch in Terminal.
Feedback? Late-breakers@macfixit.com.
Previous coverage:
Resources
%20%5B%233%5D:%20Protective%20methods,%20more%20%7C%20MacFixIt%20-%20CNET%20Reviews&srcUrl=http://reviews.cnet.com/8301-13727_7-10330562-263.html){kind=small}
possible to disguise a script as something else (not just a .jpeg) and that the
script can do anything it wants to as long as the app (not just Terminal) being
called upon is scriptable (such as telling the Finder to move contents in
~home to trash and delete - which means not just Admin users.). In other
words looking for ways to prevent Terminal from being started is in the long
run a waste of time. There is no way that I can expect my coworkers who I
support to check every single file that they receive or download. The Mac OS
resource fork - probably the number one attribute that makes a mac a mac -
is dead; unless Apple pulls a rabbit out of the hat.
Kevin
This is actually very similar in a way to the proof-of-concept trojan, reported a
while back, where you could mismatch a document filename extension with an
application kind in the resource fork. If I remember right, the proof-of-concept
was an AppleScript disguised as an mp3 file. There was even a somewhat more
complicated version where it would actually play as an mp3 file in addition to
executing the AppleScript code.
Why do you say the resource fork is dead? Seems to me that the .xxx file
extension is dead. Having an application code in the resource fork makes
more
sense, especially since applications themselves usually do not show the ".app"
extension in the Finder (unless the user changed the default setting).
It would be better to get rid of the file extension all together, have the "Kind"
column showing in the download folder, and have Safari do some sort of file
analysis on downloads before assigning a 4-digit application code to the file.
Not that I would expect this to happen any time soon. Maybe Safari should
also warn us about script file and Terminal file downloads, the way it does
with App files, and don't rely strictly on the 3 letter extension to determine
the contents.
Terminal folder into Input Managers (folder has couple of files in it)? Or do just
install some or all of the folder contents?
MacFixIt Terminal fix is confusing.
At the moment, Paranoid Android seems to be the best fix.
---
iMac G5, 17", 1.8 GHz, 1GB RAM
PowerBook G4, 12", 1.5 GHz, 768 MB RAM
Both OS 10.4.5
Put the entire folder into InputManagers.
---
Remember - FTBC (failure to be cool) is not a crime!
different folder then run the test on that security website, the test passes ok.
You will have to put Terminal App back in its original folder when you carry out
any Apple upgrades that may need it to be there.
I forgot to mention the URL for that security site.
http://secunia.com/mac_os_x_command_execution_vulnerability_test/
Bad news.
http://www.frsirt.com/exploits/20060222.safari_safefiles_exec.pm.php
MacFixit!)
I am sure glad I use Omniweb instead of Safari. Why?
Omniweb may not be as fast as some other browsers but it has a security
feature that lets you list "safe applications" that you allow to open files that
are downloaded. Any applications that are not on the list will not launch.
Suffice it to say, Terminal is not on my list of "Safe" applications. No patches
or work arounds needed.
I for one will just stay away from Safari or any other browser that does not
have this feature until they catch up to Omniweb's cast iron security features.
Griff
- by swtp February 27, 2006 9:46 AM PST
- <class="merchant"><span>></span><div class="datestamp"><i>This is a reply to a previous comment by griff--2008</i></div></class><br />
- Like this Reply to this comment
-
(10 Comments)I usually use Firefox. I downloaded the Heisse sample exploit and double clicked the .sit. It was expanded with Stuffit and the jpg file was dutifully double clicked. It would not open saying Preview did not recognize the file type. Then I downloaded with Safari and went through the same sequence. The .sit file was expanded with BOMArchiver and when the jpg was double clicked the terminal opened. I then took the Safari .sit file and expanded it with Stuffit and it then gave a error report the same as the FF download. I haven't seen this discussed and I am wondering if this is expected behavior. 10.3.9 on 1.25 GHz MDD