CVE-2011-3230
published 2011-10-14CVE-2011-3230: Apple Safari before 5.1.1 on Mac OS X does not enforce an intended policy for file: URLs, which allows remote attackers to execute arbitrary code via a crafted…
PriorityP357medium6.8CVSS 2.0
AVNACMAuNCPIPAP
EXPLOIT
EPSS
50.21%
98.8th percentile
Apple Safari before 5.1.1 on Mac OS X does not enforce an intended policy for file: URLs, which allows remote attackers to execute arbitrary code via a crafted web site.
Affected
71 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | safari | <= 5.1 | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect Safari on macOS navigating to file:// or ftp:// URLs originating from a remote web page — the exploit uses JavaScript to first automount an FTP share and then redirect document.location to a file path under /Volumes/ to execute the payload. ↗
- →Alert on inbound anonymous FTP connections (port 21) immediately followed by an HTTP request from the same host — this two-stage pattern (FTP automount then HTTP payload delivery) is characteristic of this exploit. ↗
- →Detect User-Agent strings matching Safari 5.x on Intel Mac OS X being served exploit content — the module explicitly checks for this pattern before delivering the payload. ↗
- →Monitor for .jar or .sh files being downloaded via FTP from an anonymous session and subsequently executed from /Volumes/ — these are the two payload types used by the exploit. ↗
- →Look for JavaScript on web pages that sets document.location to a path under /Volumes/ — this is the trigger mechanism for the arbitrary code execution. ↗
- ·The exploit requires a precondition: an SMB, WebDAV, FTP, or other automountable share must be opened on the victim machine first. Without a successful automount under /Volumes/, the file:// execution step will fail. ↗
- ·Username-based payload delivery to /Users/[username]/Downloads/ is only viable if the victim's username is leaked or brute-forced; otherwise the /Volumes/ path via automount is the reliable vector. ↗
- ·Non-Java (.sh) payloads may be opened by Xcode rather than executed by the shell; Java (.jar) payloads are more reliable but still trigger an OS X 'Are you sure?' warning dialog. ↗
- ·The FTP server port (21) is hardcoded and must not be changed for the automount mechanism to work correctly. ↗
- ·The ThreatFox IOCs tagged cve-2011-3230 belong to the unidentified win.unidentified_001 malware family and are associated with a mix of botnet C2 and staging infrastructure; their direct relationship to this CVE exploitation in the wild is unconfirmed. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Apple Safari - 'file://' Arbitrary Code Execution (Metasploit)
exploitdb·2011-10-17
CVE-2011-3230 Apple Safari - 'file://' Arbitrary Code Execution (Metasploit)
Apple Safari - 'file://' Arbitrary Code Execution (Metasploit)
---
##
# $Id: safari_file_policy.rb 13967 2011-10-17 03:49:49Z todb $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'rex/service_manager'
class Metasploit3 "Apple Safari file:// Arbitrary Code Execution",
'Description' => %q{
This module exploits a vulnerability found in Apple Safari on OSX platform.
A policy issue in the handling of file:// URLs may allow arbitrary remote code
execution under the context of the user.
In order to trigger arbitrary remote code execution, the best way see
Metasploit
Apple Safari file:// Arbitrary Code Execution
metasploit
Apple Safari file:// Arbitrary Code Execution
Apple Safari file:// Arbitrary Code Execution
This module exploits a vulnerability found in Apple Safari on OS X platform. A policy issue in the handling of file:// URLs may allow arbitrary remote code execution under the context of the user. In order to trigger arbitrary remote code execution, the best way seems to be opening a share on the victim machine first (this can be SMB/WebDav/FTP, or a file format that OS X might automount), and then execute it in /Volumes/[share]. If there's some kind of bug that leaks the victim machine's current username, then it's also possible to execute the payload in /Users/[username]/Downloads/, or else bruteforce your way to getting that information. Please note that non-java payloads (*.sh extension) might get launched by Xcode instead of executing it,
http://lists.apple.com/archives/Security-announce/2011//Oct/msg00004.htmlhttp://osvdb.org/76389http://support.apple.com/kb/HT5000http://www.securityfocus.com/bid/50162https://exchange.xforce.ibmcloud.com/vulnerabilities/70567http://lists.apple.com/archives/Security-announce/2011//Oct/msg00004.htmlhttp://osvdb.org/76389http://support.apple.com/kb/HT5000http://www.securityfocus.com/bid/50162https://exchange.xforce.ibmcloud.com/vulnerabilities/70567
2011-10-14
Published