exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Safari 3.2.3 Denial Of Service

Safari 3.2.3 Denial Of Service
Posted Jun 24, 2009
Authored by Alexios Fakos | Site nruns.com

A Null Class Pointer Dereference in CoreFoundation.dll has been found while parsing a URL fragment with a high-bit character in a common protocol handler. Apple's Safari browser version 3.2.3 is vulnerable.

tags | advisory, protocol
systems | apple
SHA-256 | 43353339aed37a33039bbc97039fb9b5ec525ae76af3ae86fbb10ebfa0788760

Safari 3.2.3 Denial Of Service

Change Mirror Download
n.runs AG
http://www.nruns.com/ security(at)nruns.com
n.runs-SA-2009.006 23-Jun-2009
_______________________________________________________________________

Vendor: Apple Inc., http://www.apple.com
Affected Products: Safari Browser 3.2.3 all platforms
Vulnerability: Null pointer dereference lead to DoS
Risk: MEDIUM
_______________________________________________________________________

Vendor communication:

2009/06/07 Bug found
2009/06/08 Preparing PoC's and problem description for three bug
classes (n.runs-SA-2009.004 - n.runs-SA-2009.006);
writing initial email
2009/06/08 Apple releases Safari 4.0 [1]
2009/06/09 Sending initial email in midnight hour (UTC/GMT +2 hours)
2009/06/09 Bot reply mail delivered; received Follow-Up ID
2009/06/09 Due to a press release n.runs is now aware of new release;
testing three PoC's; two of them seems to be fixed
2009/06/10 Apple replies and outlining "to take any report of a
potential security issue very seriously." Asking for PoC's
2009/06/10 Sending all PoC's with further description and outlining
at the time of writing the initial email, n.runs was aware
of new Safari release. Two PoC's (n.runs-SA-2009.005 and
n.runs-SA-2009.006) are not working with new Safari
release but asking to have a closer look into it.
2009/06/11 Apple response two PoC's are not working on the latest
release, so Apple don't see the need for any further
action. With regards to n.runs-SA-2009.004, Apple
acknowledge the issue still affects Safari 4 and is
looking to fix it.
2009/06/15 n.runs informs Apple to release this advisory
due to time difference
2009/06/23 n.runs releases this advisory

_______________________________________________________________________


Overview:

Quoting http://www.apple.com/safari/:
"What is Safari ?
It's a browser. It's a platform. It's an open invitation to innovate.
Whether on a Mac, PC, iPhone, or iPod touch, Safari continuously
redefines the browser, providing the most enjoyable way to experience
the Internet."



Description:

A Null Class Pointer Dereference in CoreFoundation.dll has been found
while parsing a URL fragment with a high-bit character in a common
protocol handler.

In detail, the following flaw was determined:

- Safari crashes in method CFCharacterSetInitInlineBuffer because the
first passed pointer argument (stored in ecx) was not sanized.
Hence dereferencing a null pointer Sarafi will crash.

Excerpt from stack trace:
CoreFoundation!CFCharacterSetInitInlineBuffer+0x357
CoreFoundation!CFURLCopyFileSystemPath+0xf3
CoreFoundation!CFURLGetWideFileSystemRepresentation+0x23
CFNetwork!CFHTTPMessageSendRequest+0x6e4
CFNetwork!CFHTTPMessageSendRequest+0x96e
CFNetwork!CFHTTPMessageSendRequest+0xad2
CFNetwork!CFURLConnectionSendSynchronousRequest+0x8d7
CFNetwork!CFStreamErrorFromCFError+0x9a0
ntdll!RtlpAllocateFromHeapLookaside+0x42
ntdll!RtlAllocateHeap+0x1c2


Impact

An attacker could trigger the vulnerability by constructing a specially
prepared website. When a user views the web page an unexpected
application termination occurs.
Kindly note: Whether this circumstance leads to an exploitable condition
was not closer investigated.



Solution:

Apple has issued an update to correct this vulnerability.
For detailed information about the fixes follow the link in
References [1] section of this document.

_______________________________________________________________________

Credit:
Bugs found by Alexios Fakos of n.runs AG.
_______________________________________________________________________

References:
[1] http://support.apple.com/kb/HT3613

This Advisory and Upcoming Advisories:
http://www.nruns.com/security_advisory.php
_______________________________________________________________________

Unaltered electronic reproduction of this advisory is permitted. For
all other reproduction or publication, in printing or otherwise,
contact security@nruns.com for permission. Use of the advisory
constitutes acceptance for use in an "as is" condition. All warranties
are excluded. In no event shall n.runs be liable for any damages
whatsoever including direct, indirect, incidental, consequential loss
of business profits or special damages, even if n.runs has been advised
of the possibility of such damages.

Copyright 2009 n.runs AG. All rights reserved. Terms of use apply.
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close