Yet another OS X security issue.
In the last two weeks, we’ve had Leap.A, Inqtana.A and now a vulnerability with the way that Apple’s web browser Safari, and it’s mail application Mail.app handle the opening and executing of certain file types by default. This issue is mainly concerned with the opening of .zip files on OS X, and the malicious possibilities are endless on this one.
This vulnerability has been discovered by Michael Lehn The culprit of this vulnerability is in the default configuration of Apple’s Safari web browser. In it’s default configuration the option to “Open ‘safe’ files after downloading” is enabled. The function of this option is to automatically display, documents, spreadsheets, movies and images as soon as they are downloaded to the users computer, by opening them with the application associated with the file type.
The vulnerability comes into play when you store a shell script in a ZIP archive without including the ‘shebang line’ (#!/bin/bash) in the shell script. As soon as you omit the ‘shebang line’, Safari will no longer recognise the script as potentially dangerous content, and executes the shell script without any confirmation needed by the user.
The shell script will get executed within the Terminal.app by a shell. If the user has configured Finder to open scripts using Terminal.app, this will happen automatically, without any intervention on the users part. If you give the script an extension, such as “jpg” or “mov” and then store it within a ZIP archive, OS X will add a binary metadata file to the archive which determines the files association. What this metafile does is instruct the operating system on any other Mac to open that file with Terminal.app — regardless of the extension or the symbol displayed in Finder. The terminal will then re-direct scripts without an interpreter line directly to bash, the standard UNIX shell in OS X.
The immediate action that OS X users should be taking against this right now is to deactivate the “Open ‘safe’ files after downloading” option in the Safari preferences pane. An additional security measure is to move the Terminal.app from /Applications/Utilities into a different folder altogether, this is because the metadata file within the ZIP archive always contains the absolute path to the application to be used to open/execute the file. The only issue with doing this is that when you apply security patches/system updates to OS X, the application must be moved back into it’s original location, otherwise it could cause problems in applying the updates.
To determine if you are vulnerable Heise Security have a safe online demonstration available here. This demo attempts to open Terminal.app to display the contents of a folder. If you are running OS X in it’s default configuration and use Safari, the window will open without waiting for a prompt from the user. The possibilities of what this script could do are endless, and I am going to leave that part to everyone’s imagination. Feel free to submit comments on the worst possible thing you could do with shell script running under the currently logged on user running Safari