cbcvebase.
CVE-2006-0848
published 2006-02-22

CVE-2006-0848: The "Open 'safe' files after downloading" option in Safari on Apple Mac OS X allows remote user-assisted attackers to execute arbitrary commands by tricking a…

PriorityP339medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
58.10%
99.0th percentile
The "Open 'safe' files after downloading" option in Safari on Apple Mac OS X allows remote user-assisted attackers to execute arbitrary commands by tricking a user into downloading a __MACOSX folder that contains metadata (resource fork) that invokes the Terminal, which automatically interprets the script using bash, as demonstrated using a ZIP file that contains a script with a safe file extension.

Affected

2 ranges
VendorProductVersion rangeFixed in
applemac_os_x
applemac_os_x_server

Detection & IOCsextracted from sources · hover to see the quote

path__MACOSX/._<filename>
path__MACOSX
filename*.mov
bytes
\x00\x05\x16\x07\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
  • Detect ZIP files delivered via HTTP containing a __MACOSX directory with AppleDouble resource fork metadata files (._*) that reference Terminal.app as the opener — this is the core exploit delivery mechanism.
  • Inspect ZIP archive contents for files with 'safe' extensions (e.g., .mov) paired with a __MACOSX/._<filename> resource fork entry — the script payload is hidden inside the .mov file while the metadata forces Terminal.app execution.
  • Monitor Safari downloads on macOS for ZIP files served as application/zip that auto-extract and spawn Terminal.app — the 'Open safe files after downloading' Safari preference must be enabled for exploitation.
  • ·Exploitation requires the victim to have Safari's 'Open safe files after downloading' preference enabled — this is the default setting and is a prerequisite for the attack to succeed without further user interaction.
  • ·The Metasploit module requires the 'zip' command-line utility to be installed on the attacker's system to generate the malicious archive.
  • ·The payload type is restricted to command execution only (cmd); supported payload types are generic, perl, ruby, and telnet — no native shellcode payloads are supported.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.