Blended Threat: Attacking Windows Users using Safari’s and IE’s Vulnerabilities
Safari Carpet Bomb ,discovered by Netish Dhanjani, is the vulnerability of Apple's web browser on OS X and Microsoft Windows. When users use Safari to browse the specially crafted website, Safari will download file into users machine without users interaction (default location is Desktop). The trick to force Safari to download file into user machine is iframe:
iframe src="somefile" width=xxx height=xxx
I install Safari 3.3.1 (525.17), the latest version of Safari, and browse to my crafted website. The result is in below:
Safari download 3 files into Desktop - A, B and C. Many people, including Apple, consider this behavior to be less or no harmful. The file downloaded into users machine could not be executed by Safari itself. Yes, their attitude are right until Aviv Raff point to something important.
Aviv Raff, a brilliant security researcher, has discovered something that can escalate Safari's vulnerability to critical severity. He releases the screen-shot to prove that command execute could be occur when combine Safari's vulnerability with Internet Explorer behavior. If you notice the stuff that he discover about IE in the past, you will see something that very interesting. In December 2006, Aviv Raff had discovered that IE7 has the behavior that may be dangerous to the user. For some DLLs, IE7 will search the DLLs from PATH environment and loaded the first match into memory. In some situation, IE7 will search from Desktop. If the attacker has the ability to put DLLs on the victim's Desktop, he will won the game...
Now, I think you already know how to put things together, right? :). Trick the users to download file into Desktop by using Safari's vulnerability and waiting users to launch IE is the way to do. To test this, I create 3 DLLs file - sqmapi.dll, imageres.dll and schannel.dll - which will launch calc.exe, notepad.exe and mspaint.exe. Is it necessary to named the DLLs like these ?. According to Aviv's information, only these DLLs can be used to hijack the IE. This is the result when I use Safari to browse the web and then open IE7:
and this screen-shot confirm that IE7 already launch calc, notepad and mspaint:
If you would like to see IE search which path in order, you can use Process Monitor to view it. This is the snapshot from Process Monitor:
From the picture above, I can assume that the search path of IE is in the following order:
- C:\Program Files\Internet Explorer\
- C:\Documents and Settings\username\Desktop
Have fun with them ^_^
P.S. This attack also called "Blended Threat". It means the software vulnerability that combine with two or more different vulnerabilities.