As the German IT portal Heise Online conveys, a new security hole in the Safari webbrowser for Apple’s Mac OS X has been discovered. This security hole is rather severe, as it invokes the execution of shell scripts under certain circumstances.
Once again the Safari option “open ’safe’ files automatically after download” bears the blame. If this facility runs across a shell script that is missing the so-called Shebang-row, the system won’t ask the user whether to execute the file automatically anymore - it’ll just execute it anyways. Unfortunately you can simply rename a shellscript without a Shebang-row to known-good filetype extensions like JPG or PNG and put that renamed script into a ZIP file - zipping as well an administrative file that’ll connect that file with the shell. A target Mac then “knows” automatically how to open that file if it receives that ZIP - it’ll take it as totally normal to execute the “jpg file” with the shell.
To circumvent this issue immediately, you can exercise two countermeasures - the first one is to disable that unsafe option in Safari, the second one is to move the terminal to another place, as the connection between shellscript and terminal has a hardcoded file path to the terminal. Additionally, you should never ever work with administrator privileges - as one should be used to with windoze, this rule of thumb has the same virtues on a Mac as well 
Currently there are, according to heise, no websites known that try to exploit this issue, but it’ll be just a question of time until there will be some in the net. So don’t take this security hole too easy - it can result in a deletion of important files sooner than you’d expect it.
Update #1 02/21/2006: Heise Online has posted an english translation of the original article I am referring to with this post here - I suppose their own translation is much better than the automatic one from Google Translator
Update #2 02/21/2006: Heise Online confirmed the issue being even more important, as they found out that you can even trick Firefox users into this trap. I have covered the topic in a separate post. Even slashdot and the Inquirer have covered it now, so it must be assumed to be a real big issue.
Leopold Porkstacker meint
I stopped using Safari over a year ago, when I “discovered” Firefox. Oh, and Firefox is more standards-compliant than Safari, so it almost seems pointless to even be using Safari. Problem solved.
-he who stacks pork
CountZero meint
I am not a Mac user on my own, but we have one in our office @work, where I was able to confirm the issue with the demo from heise online without any problem. It is true (and I am aware of it), that you don’t work as Administrator on a mac under usual circumstances (other than at a windoze machine where you’d have to get around many problems to really not work as Administrator), but this issue is a severe problem, as it is, if understood as a proof-of-concept, a slap in the face for everybody who was totally sure her/his Mac can’t be affected by an issue similar to those in the windoze-world.
You only need to find another backdoor to retrieve root access through a shell script and to combine it with this Safari issue, and voilà, you have successfully generated a really serious threat to most of the Macs around in the net.
Ben Hanson meint
Tested the demo, it downloads a .zip file, decompresses and then executes a shell script. Certainly not worm food, but a bug none the less. Following is the script that is executed:
/bin/ls -al
echo
echo
echo “heise Security: Sie sind verwundbar.”
echo
echo
Checking the file:
-rwxr-xr-x 1 76 Feb 20 05:41 Heise.jpg
we can see that the execute bit is set. So Safari should really be flagging this. If the execute bit isn’t set, I doubt this would work. If it is, Safari should show the warning about downloading an executable(which many would ignore), or it should no longer be considered safe. I for one would take notice if I were downloading what I thought was just data, and I got a warning that the file was an application.
I’ve unchecked the “open safe files after opening”
Kevin Ballard meint
“Did you even test out the proof-of-concept? Yes, Safari auto-executes the shell script even though it’s disguised as a jpeg file.”
No it doesn’t. I tried it out, all it did was unzip the file and stick it on my desktop. No execution of anything. And yes, I have the Open “safe” files pref enabled.
skytomorrownow meint
i tried the demo. works like a charm. flip comments like: well don’t open anything, don’t really help here. i click on PDF links ALL the time. it would be very easy to hide a malicious shell script among legit PDFs and do some nasty things. hope they fix this. is it possible for the browser to validate the file format somehow before opening? should i use another browser.
Pingbacks & Trackbacks