使用'telnet'URI协议删除文件

[2004年5月24日更新:If you just want to know the steps I recommend to close the various URI-related vulnerabilities, see “An Ounce of Prevention”。]

In addition to the ‘disk’, ‘disks’, and ‘help’ URI protocols mentioned昨天, you should also turn off the ‘telnet’ protocolBy default, it’s assigned to Terminal; I recommend usingRCDefaultApp将其设置为“<disabled>”。

The problem with Mac OS X’s default handling for ‘telnet://’ URIs is that it treats whatever follows the slashes as an argument to the远程登录shell命令This includes the use of command-line option switches.远程登录’s “-n” switch can be used to specify a text file in which a log of the telnet session will be written.

因此,URI如:

远程登录://  -  nFoo

将创造 -或覆盖— a file named “foo” in your home folderThis file is empty, and it isn’t executed, but the fact that it will overwrite an existing file with the same name is some serious shit.

它不会覆盖文件夹(例如it won’t replace your Documents folder with an empty file named “Documents”), and it will not overwrite files to which you don’t have write privileges (thus it can’t be used to overwrite essential system components).

但它能够be used to overwrite any file on your computer to which you do have write privileges, which includes pretty much any file within your home folder.

To access files outside the root level of your home folder, simply URL-encode the directory-separator slashesThis URI will write a file named “foo” in your startup disk’s /tmp folder:

远程登录://  -  N%2Ftmp%2Ffoo

Now we get nasty; this one will overwrite your Finder preferences file:

远程登录://-nlibrary%2Fpreferences%2Fcom.apple.finder.plist

For some reason, such URIs only work if the entire path is specified using lowercase letters — despite the fact that the actual names for the folders in the above example are “Library” and “Preferences”.

我第一次看到这个'telnet'漏洞利用了this comment from “fukami” on Elizabeth Lawley’s Mamamusings博客。杰伊艾伦clued me in to the URL-encoded slashes trick that allows this exploit to overwrite files outside your home folder.

什么关于ssh?

Within minutes of posting this article, I started getting email asking if the ‘ssh’ protocol has a similar holeAs far as I can tell, it does not: I’m not aware of any way that an ‘ssh’ URI can be used nefariouslyFor one thing, even though the ssh protocol can be loosely described as a secure alternative to telnet, theSSHshell command provides an entirely different set of command-line switches than the远程登录工具;SSH没有类似的转换远程登录’s “-n”.