OmniWeb 5.5.2 "MAP NAME=#" Denial of Service

Release Date:
January 10th, 2006

Severity:
Low

Vendor:
OmniGroup

Versions Affected:
OmniWeb 5.5.2 and prior

Description from the vendor:
You're a Mac fan, right? When people ask you why you like the Mac, you probably think of the attention to detail that makes the Mac user experience superior. It's the sum of a lot of different things that add up to a system that's more powerful, more beautiful, and more fun. What if you thought of a web browser in the same way? You use a web browser all the time, for working, for entertainment, for research; how cool would it be if every time you used it, you thought "Wow, this rules!"

Welcome to OmniWeb. OmniWeb elevates your web user experience to be more productive, more efficient, and more fun. You'll find information more quickly. You'll stay organized. You'll see the entire internet the way you choose. It's the browser that puts you in control.

Sure, you can use a standard web browser, with standard features. But you didn't choose a standard software experience - you chose the Mac. Why not try a browser built just for discriminating people with fabulous taste, like yourself?

Overview:
A null pointer / denial of service vulnerability exists within OmniWeb 5.5.2 and all prior verisons when specifying a MAP NAME=#. The # character is not properly being parsed by WebCore. This allows for an attacker to cause OmniWeb to crash and burn.

Technical Details:
Below is a basic testcase to reproduce this issue:

MAP NAME=#

Below is the crash triggered agaisnt OmniWeb 5.5.2:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0xffff0a3f in ___memcpy () at
#1 0x3464100a in WebCore::StringImpl::initWithQChar ()
#2 0x3463fb55 in WebCore::String::copy ()
#3 0x3446fc3d in WebCore::HTMLMapElementImpl::parseMappedAttribute ()
#4 0x3448db4e in WebCore::StyledElementImpl::attributeChanged ()
#5 0x3448b26e in WebCore::ElementImpl::setAttributeMap ()
#6 0x344816d4 in WebCore::HTMLParser::parseToken ()
#7 0x344828ca in WebCore::HTMLTokenizer::processToken ()
#8 0x34486976 in WebCore::HTMLTokenizer::parseTag ()
#9 0x34488693 in WebCore::HTMLTokenizer::write ()
#10 0x34532795 in WebCore::Frame::write ()
#11 0x34539504 in WebCore::Frame::endIfNotLoading ()
=== snip ===

(gdb) info registers
eax 0x40000 262144
ecx 0xbab22988 -1162729080
edx 0xfffc0000 -262144
ebx 0x7f 127
esp 0xbfffdc0c 0xbfffdc0c
ebp 0xbfffdc18 0xbfffdc18
esi 0x10498bc3 273255363
edi 0x40000 262144
eip 0xffff0a3f 0xffff0a3f
eflags 0x10206 66054
cs 0x17 23
ss 0x1f 31
ds 0x1f 31
es 0x1f 31
fs 0x0 0
gs 0x37 55
== snip ==

Vendor Status:
01/08/2006 - OmniGroup is notified
01/08/2006 - OmniGroup releases OmniWeb 5.5.3.
01/10/2006 - Advisory is released.

Solution:
OmniGroup OmniWeb 5.5.3 fixes this issue.

Discovered by:
Tom Ferris
tommy[at]security-protocols[dot]com

Related Links:
http://security-protocols.com/poc/sp-x40.html
http://security-protocols.com/sp-x40-advisory.php
http://www.omnigroup.com/applications/omniweb/releasenotes/

2007 Security-Protocols LLC

• Search

  
  
  

• Categories

  • Advisories
  • Affiliate Marketing
  • Apple
  • Books
  • Encryption
  • Flaws
  • Fuzzers
  • Gadgets
  • Humor
  • iPhone
  • Link Development
  • Microsoft
  • Misc
  • News
  • Off Topic
  • Photos
  • Reversing
  • Search Engines
  • Search Marketing
  • Security
  • SEO
  • Speedlinking
  • Tools
• 
  
  

  Archives

  • June 2008
  • May 2008
  • April 2008
  • March 2008
  • January 2008
  • December 2007
  • November 2007
  • October 2007
  • September 2007
  • August 2007
  • July 2007
  • June 2007
  • May 2007
  • April 2007
  • March 2007
  • February 2007
  • January 2007
  • December 2006
  • November 2006

• Meta

  • Log in
  • RSS 2.0
  
  
• 
  

  Blogroll

  
  Ladera Ranch Photography
  Invenio Security
  
  
  

Security-Protocols, LLC 2000 - 2008