[23950] in bugtraq
Macinosh IE file execuion vulerability
daemon@ATHENA.MIT.EDU (Jass Seljamaa)
Tue Jan 22 17:34:06 2002
To: bugtraq@securityfocus.com
Message-ID: <1011697367.3c4d46d768ffa@email.isp.ee>
Date: Tue, 22 Jan 2002 13:02:47 +0200 (EET)
From: Jass Seljamaa <jass@email.isp.ee>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="-MOQ1011697367d41d8cd98f00b204e9800998ecf8427e"
---MOQ1011697367d41d8cd98f00b204e9800998ecf8427e
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
-------------------------------------------------
This mail sent through IMP: email.isp.ee
---MOQ1011697367d41d8cd98f00b204e9800998ecf8427e
Content-Type: text/plain; name="miefe.txt"; name="miefe.txt"
Content-Transfer-Encoding: 8bit
Content-Disposition: inline; filename="miefe.txt"
Problem:
Malicious webmaster can execute files, if the victim is
using Internet Explorer 5.
Affected versions:
IE 5.0, probably earlier, on Classic systems(below OS X)
Description:
If you know the file path you can execute watever you want. What makes it
difficult is that macintosh hard drives have different names, just like
folders, not like on Windows - you can refer to the HD by typing c:\.
On OS 9(and above) there are a bunch of AppleScripts called 'speakable items',
which are made to make your life easier. They can be used for example to shut
down the macintosh*, change the resolution, put computer to sleep(a energy-
saving mode), close this window, close all windows etc. The default HD name is
Macintosh HD(all systems I can remember). On OS 9(with the default
configuration) the speakable item named Put Computer To Sleep lies in Macintosh
HD:System Folder:Speakable Items:Put Computer To Sleep.
* - Asks for confirmation.
Exploit:
<META HTTP-EQUIV="refresh" CONTENT="1; URL=file:///Macintosh%20HD/System%20Folder/Speakable%20Items/Put%20Computer%20To%20Sleep">
This will blank the screen and spin down hard disk(s).
Vendor:
I contacted Microsoft 2 months ago, they did not reply.
Jass Seljamaa,
jass@isp.ee
GSM: +3725212242
---MOQ1011697367d41d8cd98f00b204e9800998ecf8427e--
