Apple Safari parent.close() Invalid Pointer Code Execution

2010-05-28T00:00:00
ID SAINT:72C046E8C4B49955C9B463BA037E1F63
Type saint
Reporter SAINT Corporation
Modified 2010-05-28T00:00:00

Description

Added: 05/28/2010
CVE: CVE-2010-1939
BID: 39990
OSVDB: 64482

Background

Safari is a web browser for Mac OS X and Windows.

Problem

Apple Safari 4.0.5 for Windows (and probably earlier) allows remote attackers to execute arbitrary code by enticing the user to open a crafted HTML document. The crafted HTML page can create a pop-up window using the window.open() method, and then call the parent window's window.close() method, thereby triggering the vulnerability due to an invalid pointer.

Resolution

Enable the browser pop-up blocker (this is normally enabled by default in Safari). Consider disabling JavaScript in Safari. Upgrade when a fixed release becomes available.

References

<http://secunia.com/advisories/39670>
<http://www.kb.cert.org/vuls/id/943165>

Limitations

Exploit works on Apple Safari 4.0.5 for Windows.

The exploit web page must be the first page loaded into the Apple Safari browser instance on the target.

Pop-Up windows must be enabled on the target Apple Safari browser, i.e., disable the pop-up blocker.

The vulnerability is triggered when the user closes the pop-up window with [Alt + F4]. It may take a longer time than normal to establish the shell session.

Platforms

Windows