CVE-2006-0848 in Mac OS X Server
Summary
by MITRE
The "Open safe files after downloading" option in Safari on Apple Mac OS X allows remote user-assisted attackers to execute arbitrary commands by tricking a user into downloading a __MACOSX folder that contains metadata (resource fork) that invokes the Terminal, which automatically interprets the script using bash, as demonstrated using a ZIP file that contains a script with a safe file extension.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/22/2025
This vulnerability exists in Safari's handling of downloaded files on Mac OS X systems, specifically when the "Open safe files after downloading" preference is enabled. The flaw stems from how the operating system processes metadata contained within __MACOSX folders that are part of compressed archives. When a user downloads a ZIP file containing such metadata, the system automatically interprets the resource fork data as executable commands, creating a dangerous execution path for remote attackers.
The technical implementation of this vulnerability exploits the way Mac OS X handles resource forks within compressed archives. The __MACOSX folder structure contains metadata that includes resource forks, which are separate data streams associated with files. When Safari processes these files and the automatic execution preference is enabled, the system attempts to interpret the resource fork data as a command script. This interpretation occurs through the Terminal application which automatically executes bash scripts, allowing attackers to craft malicious ZIP archives containing scripts with extensions that appear safe but trigger command execution when processed by the system.
The operational impact of this vulnerability is significant as it requires only a simple user interaction to achieve remote code execution. Attackers can craft malicious ZIP files that appear legitimate to users, exploiting the trust relationship between the browser and the operating system. The vulnerability demonstrates a classic case of privilege escalation through social engineering, where the user's action of downloading and opening what appears to be a safe file becomes the attack vector. This type of vulnerability aligns with CWE-78, which addresses improper neutralization of special elements used in OS commands, and represents a command injection flaw that operates at the system level rather than application level.
The attack scenario typically involves an attacker creating a ZIP archive containing a script with a safe file extension within the __MACOSX metadata structure. When users download and open this archive, the automatic processing of resource forks triggers bash execution, allowing the attacker to run arbitrary commands with the privileges of the logged-in user. This vulnerability particularly affects users who have enabled automatic opening of downloaded files, creating a persistent security risk across the Mac OS X ecosystem. The issue highlights the dangers of automatic execution features in operating systems and the importance of proper input validation and resource fork handling in file processing pipelines.
Mitigation strategies for this vulnerability include disabling the "Open safe files after downloading" preference in Safari, which removes the automatic execution component that enables the attack. Users should also exercise caution when downloading and opening compressed archives from untrusted sources, implementing additional verification steps before automatic processing occurs. System administrators should consider implementing network-level controls to block suspicious file types and ensure that automatic execution features are properly configured. The vulnerability demonstrates the importance of following secure coding practices as outlined in the OWASP Top Ten and aligns with ATT&CK technique T1059.004, which covers scripting languages used for command execution, emphasizing the need for proper input sanitization and privilege separation in file handling operations.