Home
Latest images
Search
Register
Log iniPhone and Safari advisories
Page 1 of 1
iPhone and Safari advisories
andry Thu Oct 14, 2010 2:02 am
Catching up on a few items. I seem to have gotten a mention in a couple of recent Apple advisories:
iPhone 3.0 security fixes
Safari 4.0.2
It's one of the Safari bugs that interests me today, CVE-2009-1725 or an off-by-one heap memory corruption in Webkit. The patch says it all, really:
http://trac.webkit.org/changeset/44799/trunk/WebCore/html/HTMLTokenizer.cpp
Here's the faulty code:
checkBuffer(10);
// ignore the sequence, add it to the buffer as plaintext
*dest++ = '&';
for (unsigned i = 0; i < cBufferPos; i++)
dest[i] = m_cBuffer[i];
Turns out, that 10 should be an 11 so it is possible to write a semi user-controlled byte off-by-one off the end of a heap chunk. If you know what useful tricks you might do with that in the various heap implementations (Windows, Mac, Linux) -- please leave a comment.
Here's a demo HTML document:
https://cevans-app.appspot.com/static/webkitentityoffbyone.html
It tries to pad the HTML so that the errant byte is written off the end of the heap, instead of into buffer slack. Bear in mind that the most common symptom here is no symptom at all
In Chrome / Windows, repeated refresh of that URL would occasionally render a random Asian character, but no crash.
iPhone 3.0 security fixes
Safari 4.0.2
It's one of the Safari bugs that interests me today, CVE-2009-1725 or an off-by-one heap memory corruption in Webkit. The patch says it all, really:
http://trac.webkit.org/changeset/44799/trunk/WebCore/html/HTMLTokenizer.cpp
Here's the faulty code:
checkBuffer(10);
// ignore the sequence, add it to the buffer as plaintext
*dest++ = '&';
for (unsigned i = 0; i < cBufferPos; i++)
dest[i] = m_cBuffer[i];
Turns out, that 10 should be an 11 so it is possible to write a semi user-controlled byte off-by-one off the end of a heap chunk. If you know what useful tricks you might do with that in the various heap implementations (Windows, Mac, Linux) -- please leave a comment.
Here's a demo HTML document:
https://cevans-app.appspot.com/static/webkitentityoffbyone.html
It tries to pad the HTML so that the errant byte is written off the end of the heap, instead of into buffer slack. Bear in mind that the most common symptom here is no symptom at all
In Chrome / Windows, repeated refresh of that URL would occasionally render a random Asian character, but no crash.
andry- Moderator
- Posts : 467
Join date : 2010-05-07
Similar topics» iPhone SSL Warning and Safari Phishing
» Bonus Safari XXE (only affecting Safari 4 Beta)
» Phishing with URL Obfuscation continues in Safari 4
» Safari for Windows 3.2.1 Remote http: URI handler DoS
» Hijacking Safari 4 Top Sites with Phish Bombs
» Bonus Safari XXE (only affecting Safari 4 Beta)
» Phishing with URL Obfuscation continues in Safari 4
» Safari for Windows 3.2.1 Remote http: URI handler DoS
» Hijacking Safari 4 Top Sites with Phish Bombs
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum|
|
|