Maple exploit

Exploit for an 0day vulnerability (feature?) in Maple. https://www.metasploit.com/redmine/projects/framework/repository/revisions/9183

Default Maple security settings prevent code from running in a normal maple worksheet (.mw) without user interaction, but those setting do not prevent code in a .maplet from running. Put malicious code at start of .maplet, get the target to double-click and … profit. (As a side note, less common file formats that can execute code like these are also great for attacking Google Chrome, because it’s easy to force a download, and tricking a user to click at the bottom of the page, just as the download bar appears and open the file. This is why Firefox makes you click at least twice in different screen places or includes a delay when opening downloads. Chrome instead tries to identify every potentially harmful file extension in a blacklist, which really isn’t that great of an idea.)

But even if Maplesoft adds a confirmation box like they have for autostarting code with the worksheets, they still have major problems. For example, there’s no ability to see what code you are allowing. And most Maple users probably don’t realize that allowing some maple commands can get their system owned. Also, it’s not easy to only disable potentially harmful commands. Exactly how many times does your Maple sheet need to access your filesystem or start processes? Probably never. So why not leave those commands disabled, and if the .maplet or .mw file tries to use them, require explicit user confirmation, displaying what file is to be accessed, or what command is to be executed?

Advertisements
  1. Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: