CESA-2009-007 - rev 1

[See all my vulnerabilities at http://scary.beasts.org/security]

[Blog if you want to subscribe to new findings is at http://scarybeastsecurity.blogspot.com/]

Apple Safari 4 Beta local file theft bug

Programs affected: Safari 4 Beta; fixed in Safari 4 final
Severity: Websites can steal files from the victim's computer

This bug is a bonus addendum to this unpleasant XXE-based file theft attack. It is another Safari XXE attack that my colleague Carlos Pizano initially suggested might be possible based on the Chrome sandbox preventing network libraries being loaded. So full credit to Carlos for getting me to look into this further. All I did was create a file-stealing test case for Safari 4 Beta.

The great news here is that Apple responded swiftly to fix this in time for Safari 4 final. Therefore, best I know, this bug never hit a production release browser. (Safari 3 is unaffected because the cause of the bug seems to be a Webkit-based regression in more recent versions of Webkit).

Here's the simple attack code. We just need to serve it with XML MIME type. As can be seen, it's a much simpler XXE attack vector:

<!DOCTYPE doc [ <!ENTITY ent SYSTEM "file:///c:/boot.ini"> ]>
<element>Gimme ur filez?</element>


Click here for Safari 4 Beta / Windows


CESA-2009-007 - rev 1
Chris Evans