On Thursday, Rapid7 advised users of Apple’s Safari Web browser to avoid opening “.webarchive” files, after the discovery of a vulnerability in the security model of the webarchive format.
In Safari, the webarchive format saves all of the resources within a given webpage, including images, scripts, and stylesheets into a single file. In a blog post, Rapid7’s Joe Vennix explained the Universal Cross-Site Scripting vulnerability, which has serious repercussions to Safari users on both the Windows and Mac OS X platforms.
Apple has not addressed the issue because exploitation requires an attacker to trick a victim into opening the .webarchive file manually. This can only happen after they ignore a generic warning message that says in part “…this content was downloaded from a webpage…”
“This is a potentially dangerous decision, since a user expects better security around the confidential details stored in the browser, and since the webarchive format is otherwise quite useful. Also, not fixing this leaves only the browser’s file:// URL redirect protection, which has been bypassed many times in the past,” Vennix explained.
In order to demonstrate the vulnerability, Vennix created a Metasploit module that can generate a malicious .webarchive file that will carryout five different attacks against Safari.
The module’s attacks are valid against all versions of Safari on OSX and Windows. A listener that is run by the module will print stolen data, including saved passwords, local files and system logs, and data from poisoned JavaScript (keylogger) to the msfconsole.
A complete listing of the attacks and how they will work in the proof-of-concept Metasploit module are here on the Rapid7 blog. The module itself is available on GitHub.