Apple OSX Safari 2.0.4 "RenderBlock::createLineBoxes" DoS


Apple OSX Safari 2.0.4 "RenderBlock::createLineBoxes" DoS
Release Date:
November 28th, 2006

Severity:
Low

Vendor:
Apple

Versions Affected:
OSX 10.4.8
Safari 2.0.4 (419.3)

Versions Not Affected:
WebKit build 17902

Overview:
A denial of service (null pointer) vulnerability exists within Safari 2.0.4, and all prior versions which allows for an attacker to post a specially crafted .html page causing the application to crash.

Technical Details:
Click the link below for the testcase to reproduce this issue:

http://security-protocols.com/poc/sp-x37.html

Below is the crash triggered on OSX 10.4.8 with Safari 2.0.4 (419.3):

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000068
0x954178c1 in khtml::RenderBlock::createLineBoxes ()
(gdb) bt
#0 0x954178c1 in khtml::RenderBlock::createLineBoxes ()
#1 0x9541792d in khtml::RenderBlock::createLineBoxes ()
#2 0x9541792d in khtml::RenderBlock::createLineBoxes ()
#3 0x9541792d in khtml::RenderBlock::createLineBoxes ()
#4 0x9541792d in khtml::RenderBlock::createLineBoxes ()
#5 0x9541792d in khtml::RenderBlock::createLineBoxes ()
#6 0x9541792d in khtml::RenderBlock::createLineBoxes ()
#7 0x9541779c in khtml::RenderBlock::constructLine ()
#8 0x9541350b in khtml::RenderBlock::layoutInlineChildren ()
#9 0x954102d4 in khtml::RenderBlock::layoutBlock ()
#10 0x9541009a in khtml::RenderBlock::layout ()
== snip ==

Vendor Status:
09/05/2006: Vendor Notified

Solution:
WebKit build 17902 fixes this issue, as Safari is still vulnerable.

Discovered by:
Tom Ferris
tommy[at]security-protocols[dot]com

Related Links:
http://security-protocols.com/poc/sp-x37.html
http://security-protocols.com/sp-x37-advisory.php
http://nightly.webkit.org
http://apple.com

2006 Security-Protocols, LLC