Sign-up

ID

VAR-200706-0107


CVE

CVE-2007-3186


TITLE

Apple Safari Vulnerable to arbitrary command execution

Trust: 0.8

sources: JVNDB: JVNDB-2007-002179

DESCRIPTION

Apple Safari Beta 3.0.1 for Windows allows remote attackers to execute arbitrary commands via shell metacharacters in a URI in the SRC of an IFRAME, as demonstrated using a gopher URI. Apple Safari for Windows is prone to a protocol handler command-injection vulnerability. Exploiting the issue allows remote attackers to pass arbitrary command-line arguments to any application that can be called through a protocol handler. This specific vulnerability relies on the use of IFRAME elements; attackers can do even more damage by combining it with Mozilla XPCOM components. Exploiting the issue would permit a remote attacker to influence command options that can be called through Safari protocol handlers and to compromise affected systems in the context of the vulnerable user. This issue may be related to the vulnerability discussed in BID 10406 (Apple MacOS X SSH URI Handler Remote Code Execution Vulnerability). We will update this BID as more information emerges. Note: Apple has released Safari for Windows Beta 3.0.1. Apple Safari is a WEB browser used by the Apple family of operating systems. There is a vulnerability in Safari's handling of URL parameters, which may be exploited by remote attackers to control the user's machine. The URL protocol handler on the Windows platform will execute the process with specific command line parameters at runtime. Safari on Windows platforms does not perform proper input validation for these parameters, so an attacker could inject commands bypassing the intended restrictions. A typical URL request, such as myprotocol://someserver.com/someargument, would be translated into the following command-line restructuring: "C:\Program Files\My Application\myprotocol.exe" "someserver.com/someargument" But this is still Not enough to send arbitrary characters to the command line, URL escaping is required to convert the myprotocol://someserver.com/some"[SPACE] parameter to: "C:\Program Files\My Application\myprotocol.exe" "someserver .com/some"%20argument cannot attack Safari after escaping, because the executed command line is invalid. However, Safari cannot correctly validate the input when processing these requests through the IFRAME unit, for example: <iframe src=' myprotocol://someserver.com" < foo > bar | foobar "arg1′></iframe> would be converted to the following command line: "C:\Program Files\My Application\myprotocol.exe" "someserver.com" < foo > bar | foobar"

Trust: 1.98

sources: NVD: CVE-2007-3186 // JVNDB: JVNDB-2007-002179 // BID: 24434 // VULHUB: VHN-26548

AFFECTED PRODUCTS

vendor:applemodel:safariscope:eqversion:2.0.4

Trust: 1.9

vendor:applemodel:safariscope:eqversion:2.0.3

Trust: 1.9

vendor:applemodel:safariscope:eqversion:2.0.2

Trust: 1.9

vendor:applemodel:safariscope:eqversion:2.0.1

Trust: 1.9

vendor:applemodel:safariscope:eqversion:3.0

Trust: 1.6

vendor:applemodel:safariscope:eqversion:3.0.1

Trust: 1.6

vendor:applemodel:safariscope:eqversion:2.0

Trust: 1.6

vendor:applemodel:safariscope:eqversion:*

Trust: 1.0

vendor:applemodel:safariscope:eqversion:windows edition beta 3.0.1

Trust: 0.8

vendor:applemodel:safariscope:eqversion:windows

Trust: 0.6

vendor:applemodel:safari beta for windowsscope:eqversion:3

Trust: 0.3

vendor:applemodel:safari betascope:eqversion:3

Trust: 0.3

vendor:applemodel:mobile safariscope:eqversion:0

Trust: 0.3

vendor:applemodel:safari beta for windowsscope:neversion:3.0.1

Trust: 0.3

sources: BID: 24434 // JVNDB: JVNDB-2007-002179 // CNNVD: CNNVD-200706-194 // NVD: CVE-2007-3186

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2007-3186
value: HIGH

Trust: 1.0

NVD: CVE-2007-3186
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200706-194
value: CRITICAL

Trust: 0.6

VULHUB: VHN-26548
value: HIGH

Trust: 0.1

nvd@nist.gov: CVE-2007-3186
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

VULHUB: VHN-26548
severity: HIGH
baseScore: 9.3
vectorString: AV:N/AC:M/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: MEDIUM
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 8.6
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-26548 // JVNDB: JVNDB-2007-002179 // CNNVD: CNNVD-200706-194 // NVD: CVE-2007-3186

PROBLEMTYPE DATA

problemtype:CWE-264

Trust: 1.9

sources: VULHUB: VHN-26548 // JVNDB: JVNDB-2007-002179 // NVD: CVE-2007-3186

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-200706-194

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-200706-194

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2007-002179

EXPLOIT AVAILABILITY
sources:
            
            
            VULHUB: VHN-26548

PATCH
title:APPLE-SA-2007-06-14url:http://lists.apple.com/archives/security-announce/2007/Jun/msg00000.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2007-002179

EXTERNAL IDS
db:NVDid:CVE-2007-3186
Trust: 2.8
db:BIDid:24434
Trust: 2.0
db:VUPENid:ADV-2007-2192
Trust: 1.7
db:SECTRACKid:1018224
Trust: 1.7
db:OSVDBid:38542
Trust: 1.1
db:JVNDBid:JVNDB-2007-002179
Trust: 0.8
db:FULLDISCid:20070612 SAFARI FOR WINDOWS, 0DAY URL PROTOCOL HANDLER COMMAND INJECTION
Trust: 0.6
db:XFid:34824
Trust: 0.6
db:BUGTRAQid:20070612 SAFARI FOR WINDOWS, 0DAY URL PROTOCOL HANDLER COMMAND INJECTION
Trust: 0.6
db:APPLEid:APPLE-SA-2007-06-14
Trust: 0.6
db:CNNVDid:CNNVD-200706-194
Trust: 0.6
db:SEEBUGid:SSVID-83626
Trust: 0.1
db:EXPLOIT-DBid:30176
Trust: 0.1
db:VULHUBid:VHN-26548
Trust: 0.1
sources:
            
            
            VULHUB: VHN-26548 // 
            
            
            
            BID: 24434 // 
            
            
            
            JVNDB: JVNDB-2007-002179 // 
            
            
            
            CNNVD: CNNVD-200706-194 // 
            
            
            
            NVD: CVE-2007-3186

REFERENCES
url:http://lists.apple.com/archives/security-announce/2007/jun/msg00000.html
Trust: 1.7
url:http://www.securityfocus.com/bid/24434
Trust: 1.7
url:http://lists.grok.org.uk/pipermail/full-disclosure/2007-june/063926.html
Trust: 1.7
url:http://larholm.com/2007/06/12/safari-for-windows-0day-exploit-in-2-hours
Trust: 1.7
url:http://larholm.com/2007/06/14/safari-301-released/
Trust: 1.7
url:http://www.securitytracker.com/id?1018224
Trust: 1.7
url:http://www.securityfocus.com/archive/1/471176/100/0/threaded
Trust: 1.1
url:http://osvdb.org/38542
Trust: 1.1
url:http://www.vupen.com/english/advisories/2007/2192
Trust: 1.1
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/34824
Trust: 1.1
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2007-3186
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2007-3186
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/34824
Trust: 0.6
url:http://www.securityfocus.com/archive/1/archive/1/471176/100/0/threaded
Trust: 0.6
url:http://www.frsirt.com/english/advisories/2007/2192
Trust: 0.6
url:http://www.apple.com/safari/
Trust: 0.3
url:/archive/1/471176
Trust: 0.3
url:http://larholm.com/2007/06/12/safari-for-windows-0day-exploit-in-2-hours/
Trust: 0.3
sources:
            
            
            VULHUB: VHN-26548 // 
            
            
            
            BID: 24434 // 
            
            
            
            JVNDB: JVNDB-2007-002179 // 
            
            
            
            CNNVD: CNNVD-200706-194 // 
            
            
            
            NVD: CVE-2007-3186

CREDITS
Thor Larholm※ Thor@jubii.dk
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200706-194

SOURCES
db:VULHUBid:VHN-26548
db:BIDid:24434
db:JVNDBid:JVNDB-2007-002179
db:CNNVDid:CNNVD-200706-194
db:NVDid:CVE-2007-3186

LAST UPDATE DATE
2025-04-10T23:11:36.930000+00:00

SOURCES UPDATE DATE
db:VULHUBid:VHN-26548date:2018-10-16T00:00:00
db:BIDid:24434date:2007-06-14T13:39:00
db:JVNDBid:JVNDB-2007-002179date:2012-06-26T00:00:00
db:CNNVDid:CNNVD-200706-194date:2007-06-13T00:00:00
db:NVDid:CVE-2007-3186date:2025-04-09T00:30:58.490

SOURCES RELEASE DATE
db:VULHUBid:VHN-26548date:2007-06-12T00:00:00
db:BIDid:24434date:2007-06-12T00:00:00
db:JVNDBid:JVNDB-2007-002179date:2012-06-26T00:00:00
db:CNNVDid:CNNVD-200706-194date:2007-06-12T00:00:00
db:NVDid:CVE-2007-3186date:2007-06-12T22:30:00