cbcvebase.
CVE-2011-3230
published 2011-10-14

CVE-2011-3230: Apple Safari before 5.1.1 on Mac OS X does not enforce an intended policy for file: URLs, which allows remote attackers to execute arbitrary code via a crafted…

PriorityP357medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
50.21%
98.8th percentile
Apple Safari before 5.1.1 on Mac OS X does not enforce an intended policy for file: URLs, which allows remote attackers to execute arbitrary code via a crafted web site.

Affected

71 ranges· showing 25
VendorProductVersion rangeFixed in
applesafari<= 5.1
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari
applesafari

Detection & IOCsextracted from sources · hover to see the quote

path/Volumes/[share]
path/Users/[username]/Downloads/
urlfile:///Volumes/[share]/[payload]
filename*.jar
filename*.sh
  • Detect Safari on macOS navigating to file:// or ftp:// URLs originating from a remote web page — the exploit uses JavaScript to first automount an FTP share and then redirect document.location to a file path under /Volumes/ to execute the payload.
  • Alert on inbound anonymous FTP connections (port 21) immediately followed by an HTTP request from the same host — this two-stage pattern (FTP automount then HTTP payload delivery) is characteristic of this exploit.
  • Detect User-Agent strings matching Safari 5.x on Intel Mac OS X being served exploit content — the module explicitly checks for this pattern before delivering the payload.
  • Monitor for .jar or .sh files being downloaded via FTP from an anonymous session and subsequently executed from /Volumes/ — these are the two payload types used by the exploit.
  • Look for JavaScript on web pages that sets document.location to a path under /Volumes/ — this is the trigger mechanism for the arbitrary code execution.
  • ·The exploit requires a precondition: an SMB, WebDAV, FTP, or other automountable share must be opened on the victim machine first. Without a successful automount under /Volumes/, the file:// execution step will fail.
  • ·Username-based payload delivery to /Users/[username]/Downloads/ is only viable if the victim's username is leaked or brute-forced; otherwise the /Volumes/ path via automount is the reliable vector.
  • ·Non-Java (.sh) payloads may be opened by Xcode rather than executed by the shell; Java (.jar) payloads are more reliable but still trigger an OS X 'Are you sure?' warning dialog.
  • ·The FTP server port (21) is hardcoded and must not be changed for the automount mechanism to work correctly.
  • ·The ThreatFox IOCs tagged cve-2011-3230 belong to the unidentified win.unidentified_001 malware family and are associated with a mix of botnet C2 and staging infrastructure; their direct relationship to this CVE exploitation in the wild is unconfirmed.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.