- Discovered by : Inferno
=============================================
I. TITLE
-------------------------
Hijacking Safari 4 Top Sites with Phish Bombs
II. VULNERABLE
-------------------------
Safari 4 all versions < 4.0.3
Platforms affected - Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X
feed aggregator services (e.g. Feed Demon). The vulnerability arises from
the fact that it is not expected of RSS readers to render scripted content.
I want to extend that research by doing threat analysis on inbuilt feed
readers offered in most modern browsers. I have found Google Chrome (v2,3)
and Opera (v9,v10) to be vulnerable, while Internet Explorer(v7,8), Firefox
3.5 and Safari 4 are resilient to the exploits mentioned below.
IV. DESCRIPTION
-------------------------
Google Chrome and Opera’s inbuilt RSS/ATOM Reader renders untrusted
javascript in an RSS/ATOM feed.
#############
Test
#############
I test it in ie8, firefox 3.5.3 and safari 4
in all cases the xss is executed include ie8 with xss filter :D
a remote user can compose a html document
with a iframe and this source for the iframe:
Apple Safari 4 Beta feeds: URI NULL Pointer Dereference Denial of
Service Vulnerability
Date: Feb 25 2009
Class: Input Validation Error
Local: Yes
Remote: Yes
Vulnerable Versions:
* Apple Safari 4 (528.16) Public Beta
2009/06/07 Bug found
2009/06/08 Preparing PoC's and problem description for three bug
classes (n.runs-SA-2009.004 - n.runs-SA-2009.006);
writing initial email
2009/06/08 Apple releases Safari 4.0 [1]
2009/06/09 Sending initial email in midnight hour (UTC/GMT +2 hours)
2009/06/09 Bot reply mail delivered; received Follow-Up ID
2009/06/09 Due to a press release n.runs is now aware of new release;
testing three PoC's; two of them seems to be fixed
2009/06/10 Apple replies and outlining "to take any report of a
* XHR (XMLHttpRequest) as a vector for mail merging or wordlist attacks in
XPS/IPE attacks
We're going to show you how these two methods combine like Voltron into a whole
much larger than its parts. At the end of this short advisory you will be able
to take any Safari web browser and make it a spam drone, a wordlist-based logon
cracker for networks, or a relay for payloads to arbitrary daemons. You will be
able to do all of this without passing any shellcode or alerting any IDS to
compromise.
Let's cover the bug.
2009/06/07 Bug found
2009/06/08 Preparing PoC's and problem description for three bug
classes (n.runs-SA-2009.004 - n.runs-SA-2009.006);
writing initial email
2009/06/08 Apple releases Safari 4.0 [1]
2009/06/09 Sending initial email in midnight hour (UTC/GMT +2 hours)
2009/06/09 Bot reply mail delivered; received Follow-Up ID
2009/06/09 Due to a press release n.runs is now aware of new release;
testing three PoC's; two of them seems to be fixed
2009/06/10 Apple replies and outlining "to take any report of a
Chrome Version :2.0.172.37 (Build oficial )
URLs (if applicable) :
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Safari 4: FAIL
Firefox 3.x: FAIL
IE 7: OK
IE 8: OK
What steps will reproduce the problem?
04/13/2009 - Initial Contact
04/14/2009 - Initial response
04/22/2009 - PoC Requested
04/23/2009 - PoC Sent
05/18/2009 - Apple inquiry about Safari 4
05/21/2009 - Responded to Apple inquiry
06/08/2009 - Coordinated public disclosure
IX. CREDIT
