Apple Safari 6.0.5 on Mac OS X Restore Browser Sessions LastSession.plist cryptographic issue
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 3.9 | $0-$5k | 0.00 |
Summary
A vulnerability was found in Apple Safari 6.0.5 on Mac OS X. It has been rated as problematic. The affected element is an unknown function of the file LastSession.plist of the component Restore Browser Sessions Handler. The manipulation leads to cryptographic issue. This vulnerability is documented as CVE-2013-7127. Additionally, an exploit exists. Upgrading the affected component is advised.
Details
A vulnerability was found in Apple Safari 6.0.5 on Mac OS X (Web Browser). It has been rated as problematic. This issue affects an unknown function of the file LastSession.plist of the component Restore Browser Sessions Handler. The manipulation with an unknown input leads to a cryptographic issue vulnerability. Using CWE to declare the problem leads to CWE-310. Impacted is confidentiality, and integrity. The summary by CVE is:
Apple Safari 6.0.5 on Mac OS X 10.7.5 and 10.8.5 stores cleartext credentials in LastSession.plist, which allows local users to obtain sensitive information by reading this file.
The weakness was released 12/13/2013 by Vyacheslav Zakorzhevsky with Kaspersky Lab as Loophole in Safari as confirmed posting (Blog). The advisory is shared at securelist.com. The public release happened without involvement of Apple. The identification of this vulnerability is CVE-2013-7127 since 12/17/2013. The exploitation is known to be easy. An attack has to be approached locally. The successful exploitation requires a simple authentication. Technical details as well as a private exploit are known. MITRE ATT&CK project uses the attack technique T1600 for this issue. The advisory points out:
Safari, however, doesn’t encrypt previous sessions and stores them in a standard plist file that is freely accessible. As a result, it’s easy to find a user’s login credentials.
It is declared as proof-of-concept. The vulnerability scanner Nessus provides a plugin with the ID 70563 (Mac OS X : Apple Safari < 6.1 Multiple Vulnerabilities), which helps to determine the existence of the flaw in a target environment. It is assigned to the family MacOS X Local Security Checks and running in the context l. The advisory illustrates:
The complete authorized session on the site is saved in the plist file in full view despite the use of https. The file itself is located in a hidden folder, but is available for anyone to read. The system can easily open a plist file. It stores information about the saved session – including http requests encrypted using a simple Base64 encoding algorithm – in a structured format.
Upgrading eliminates this vulnerability. A possible mitigation has been published even before and not after the disclosure of the vulnerability. The posting contains the following remark:
We have informed Apple about the problem.
The vulnerability is also documented in the databases at X-Force (89941), Tenable (70563), SecurityFocus (BID 60067†) and OSVDB (101118†). securelist.com is providing further details. Entries connected to this vulnerability are available at VDB-10343, VDB-10393, VDB-10394 and VDB-10976. If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Affected
- Apple Mac OS X 10.8.5, Safari 6.0.5 (8536.30.1)
- Apple Mac OS X 10.7.5, Safari 6.0.5 (7536.30.1)
Product
Type
Vendor
Name
Version
License
Website
- Vendor: https://www.apple.com/
CPE 2.3
CPE 2.2
Screenshot
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.4VulDB Meta Temp Score: 3.9
VulDB Base Score: 4.4
VulDB Temp Score: 3.9
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Cryptographic issueCWE: CWE-310
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: No
Availability: 🔍
Access: Private
Status: Proof-of-Concept
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 70563
Nessus Name: Mac OS X : Apple Safari < 6.1 Multiple Vulnerabilities
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
OpenVAS ID: 800506
OpenVAS Name: Apple Safari Information Disclosure Vulnerability Dec13 (Mac OS X)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Timeline
05/21/2013 🔍10/22/2013 🔍
10/23/2013 🔍
12/13/2013 🔍
12/13/2013 🔍
12/17/2013 🔍
12/17/2013 🔍
06/04/2021 🔍
Sources
Vendor: apple.comAdvisory: Loophole in Safari
Researcher: Vyacheslav Zakorzhevsky
Organization: Kaspersky Lab
Status: Confirmed
CVE: CVE-2013-7127 (🔍)
GCVE (CVE): GCVE-0-2013-7127
GCVE (VulDB): GCVE-100-11501
X-Force: 89941 - Apple Safari running on Mac OS X credentials information disclosure
SecurityFocus: 60067
OSVDB: 101118
scip Labs: https://www.scip.ch/en/?labs.20161013
Misc.: 🔍
See also: 🔍
Entry
Created: 12/13/2013 13:40Updated: 06/04/2021 10:12
Changes: 12/13/2013 13:40 (68), 05/16/2018 09:08 (13), 06/04/2021 10:12 (4)
Complete: 🔍
Cache ID: 216::103
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
No comments yet. Languages: en.
Please log in to comment.