CVE-2006-0848

macOS X - Remote Code Execution via Safari Safe Files Download Feature

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2006-0848. PoCs published by Metasploit, hdm, including Metasploit module exploits/osx/browser/safari_metadata_archive.

AI-analyzed exploit summary This Metasploit module exploits CVE-2006-0848 in Safari by crafting a malicious ZIP archive with a shell script and metadata to force execution via Terminal.app. It requires the 'zip' utility and targets macOS Safari users.

Description

The "Open 'safe' files after downloading" option in Safari on Apple Mac OS X allows remote user-assisted attackers to execute arbitrary commands by tricking a user into downloading a __MACOSX folder that contains metadata (resource fork) that invokes the Terminal, which automatically interprets the script using bash, as demonstrated using a ZIP file that contains a script with a safe file extension.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremoteunix

https://www.exploit-db.com/exploits/16866

View Code ZIP pw:eip

This Metasploit module exploits CVE-2006-0848 in Safari by crafting a malicious ZIP archive with a shell script and metadata to force execution via Terminal.app. It requires the 'zip' utility and targets macOS Safari users.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Safari (macOS, versions unspecified)

No auth needed

Prerequisites: zip command-line utility · victim interaction (downloading and opening the archive)

MITRE ATT&CK

T1203 - Exploitation for Client Execution T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC EXCELLENT

by hdm · rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/osx/browser/safari_metadata_archive.rb

View Code ZIP pw:eip

This Metasploit module exploits a command execution flaw in Safari's 'Safe file' feature by delivering a malicious ZIP archive containing a shell script disguised as a .mov file with metadata to trigger Terminal.app execution.