Blended Threat – Safari Carpet Bomb and More

It has been two weeks since the announcement of the Safari carpet bombing. In case you do not know, Safari has a very nice feature that allows web servers to put arbitrary files into your local computer without consent, and, according to Apple, that is by design.

Neat! Remote file management!

What harm could it bring to have junk files on our local system? We users have a lot of junk, don’t we? Three things that can be summarized :

1. A fake executable so unwary users click on it.
2. A malicious PDF like with vulnerability MS07-061.
3. Open IE7 or IE8 ( or possibly other software, more to that. ) and then get 0wN3d immediately.

Nitesh Dhanjani wrote about the carpet bomb. The core idea is that Safari will download the file to the default download location if it cannot handle the file type (Content-type). Internet Explorer and Firefox prompts the user in the same situation.

Now, add this with Aviv Raff’s findings on DLL-Hijack of IE7 ( and IE8 beta 1 ), they make an unaware download and an auto-executed file. The core idea is that IE7 ( IE 8 beta 1 ) uses the LoadLibrary API in Windows. The internal implementation is that it loads the first DLL found.

According to MSDN,

If lpFileName does not include a path and there is more than one loaded module with the same base name and extension, the function returns a handle to the module that was loaded first.

More to the DLL search order here.

Knowing this, and because IE does not load the dlls with absolute path and sign their DLL with public key, you can put the malicious dll with the same name in a place where IE will search earlier than the real path, then you get your private DLL loaded in place of the real one. That’s a DLL Hijack. Start IE7/8 beta1, you are 0wN3d.

Technical details, proof of concepts and credits to Liu Die Yu who pieced the puzzles together, and of course ultimately to the original vulnerability finders of Nitesh Dhanjani and Aviv Raff.

But wait. Like I said, LoadLibrary is an API of Windows, so it is not the problem of IE. Which means, for any application that uses a relative path and unsigned DLL is going to suffer the same fate of IE. Yes, you can’t really do anything with that for an arbitrary software you have. But think again, if someone can put a file into your computer without your consent, you are actually in great danger already.

To mitigate the Safari Carpet Bombing, follow this advisory.

But, again, what if the downloaded file is not dll? It can be a nasty MS07-061 remote arbitrary code execution in form of a PDF file. With IE7 installed, the shell32 will make way for the exploit as well. Sometimes with a lot of things on the desktop, the average person might not remember what is the file, and then open it …ouch! Get patched with KB943460.

Even more, if there is a nice .url icon with a familiar icon ( but with an extra arrow ) but pointing to a nasty URL…? You aren’t much better with this ending either. You can only be wary of what you click.

I really consider this Safari threat a nasty one. And it is a good thing I am not using it, and I for one don’t want to be 0wN3d, do you?


1 Response to “Blended Threat – Safari Carpet Bomb and More”

  1. 1 Google Chrome has the same bomb as Safari « secKa’s Weblog Trackback on September 3, 2008 at 3:38 am

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s


%d bloggers like this: