CVE-2006-0848
published 2006-02-22CVE-2006-0848: The "Open 'safe' files after downloading" option in Safari on Apple Mac OS X allows remote user-assisted attackers to execute arbitrary commands by tricking a…
PriorityP339medium5.1CVSS 2.0
AVNACHAuNCPIPAP
EXPLOIT
EPSS
58.10%
99.0th percentile
The "Open 'safe' files after downloading" option in Safari on Apple Mac OS X allows remote user-assisted attackers to execute arbitrary commands by tricking a user into downloading a __MACOSX folder that contains metadata (resource fork) that invokes the Terminal, which automatically interprets the script using bash, as demonstrated using a ZIP file that contains a script with a safe file extension.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | mac_os_x | — | — |
| apple | mac_os_x_server | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\x00\x05\x16\x07\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00
- →Detect ZIP files delivered via HTTP containing a __MACOSX directory with AppleDouble resource fork metadata files (._*) that reference Terminal.app as the opener — this is the core exploit delivery mechanism. ↗
- →Inspect ZIP archive contents for files with 'safe' extensions (e.g., .mov) paired with a __MACOSX/._<filename> resource fork entry — the script payload is hidden inside the .mov file while the metadata forces Terminal.app execution. ↗
- →Monitor Safari downloads on macOS for ZIP files served as application/zip that auto-extract and spawn Terminal.app — the 'Open safe files after downloading' Safari preference must be enabled for exploitation. ↗
- ·Exploitation requires the victim to have Safari's 'Open safe files after downloading' preference enabled — this is the default setting and is a prerequisite for the attack to succeed without further user interaction. ↗
- ·The Metasploit module requires the 'zip' command-line utility to be installed on the attacker's system to generate the malicious archive. ↗
- ·The payload type is restricted to command execution only (cmd); supported payload types are generic, perl, ruby, and telnet — no native shellcode payloads are supported. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Apple Safari - Archive Metadata Command Execution (Metasploit)
exploitdb·2010-09-20
CVE-2006-0848 Apple Safari - Archive Metadata Command Execution (Metasploit)
Apple Safari - Archive Metadata Command Execution (Metasploit)
---
##
# $Id: safari_metadata_archive.rb 10394 2010-09-20 08:06:27Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 HttpClients::SAFARI,
:os_name => [ OperatingSystems::MAC_OSX ],
:javascript => true,
:rank => ExcellentRanking, # reliable cmd execution
:vuln_test => nil,
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Safari Archive Metadata Command Execution',
'Description' => %q{
This module exploits a vulnerability in Safari's "Safe file" feature, whic
Metasploit
Safari Archive Metadata Command Execution
metasploit
Safari Archive Metadata Command Execution
Safari Archive Metadata Command Execution
This module exploits a vulnerability in Safari's "Safe file" feature, which will automatically open any file with one of the allowed extensions. This can be abused by supplying a zip file, containing a shell script, with a metafile indicating that the file should be opened by Terminal.app. This module depends on the 'zip' command-line utility.
No writeups or analysis indexed.
http://docs.info.apple.com/article.html?artnum=303382http://secunia.com/advisories/18963http://securitytracker.com/id?1015652http://www.frsirt.com/exploits/20060222.safari_safefiles_exec.pm.phphttp://www.heise.de/english/newsticker/news/69862http://www.kb.cert.org/vuls/id/999708http://www.mathematik.uni-ulm.de/numerik/staff/lehn/macosx.htmlhttp://www.osvdb.org/23510http://www.securityfocus.com/bid/16736http://www.us-cert.gov/cas/techalerts/TA06-053A.htmlhttp://www.us-cert.gov/cas/techalerts/TA06-062A.htmlhttp://www.vupen.com/english/advisories/2006/0671https://exchange.xforce.ibmcloud.com/vulnerabilities/24808http://docs.info.apple.com/article.html?artnum=303382http://secunia.com/advisories/18963http://securitytracker.com/id?1015652http://www.frsirt.com/exploits/20060222.safari_safefiles_exec.pm.phphttp://www.heise.de/english/newsticker/news/69862http://www.kb.cert.org/vuls/id/999708http://www.mathematik.uni-ulm.de/numerik/staff/lehn/macosx.htmlhttp://www.osvdb.org/23510http://www.securityfocus.com/bid/16736http://www.us-cert.gov/cas/techalerts/TA06-053A.htmlhttp://www.us-cert.gov/cas/techalerts/TA06-062A.htmlhttp://www.vupen.com/english/advisories/2006/0671https://exchange.xforce.ibmcloud.com/vulnerabilities/24808
2006-02-22
Published