MoBB #31: Safari KHTMLParser::popOneBlock
The following bug was tested on the latest version of Safari on a fully-patched Mac OS X 10.4 (PPC) system. Safari will dereference and call a pointer from the heap if a script element, inside a div element, redefines the document body. Code execution is possible, but more time is required to develop a reliable exploit. This bug was discovered by Jose Avila III and Pusscat. Strangely enough, this bug does not affect KDE's Konqueror (tested 3.5.3).
Please see the demo source code for an example.
Warning: The following link may cause your browser to crash.
Demonstration
Program received signal EXC_BAD_INSTRUCTION, Illegal instruction/operand.
(gdb) x/i $pc
0x4aeec58: .long 0x690074
#0 0x04aeec58 in ?? ()
#1 0x95c6f884 in KHTMLParser::popOneBlock ()
#2 0x95c43998 in KHTMLParser::freeBlock ()
#3 0x95cdff3c in KHTMLParser::finished ()
#4 0x95cdfe7c in khtml::HTMLTokenizer::end ()
#5 0x95c7ec8c in khtml::HTMLTokenizer::finish ()
#6 0x95d90358 in KHTMLPart::endIfNotLoading ()
0x95c6f8c4 <_ZN11KHTMLParser11popOneBlockEb+132>: lwz r2,0(r3)
0x95c6f8c8 <_ZN11KHTMLParser11popOneBlockEb+136>: lwz r12,268(r2)
0x95c6f8cc <_ZN11KHTMLParser11popOneBlockEb+140>: mtctr r12
0x95c6f8d0 <_ZN11KHTMLParser11popOneBlockEb+144>: bctrl
This bug will be added to the OSVDB:
Apple Safari KHTMLParser::popOneBlock Code Execution
posted by hdm @ 12:50 AM
10 comments
links to this post
10 Comments:
HDM Is this the end of MoBB? will you be extending this blog, since you did say in one post about you being able to supply ie bugs for 2 an half years? LOL. Do you have any other Bug blogs in the works?
I guess thats it then thanks for the wonderful read :)
- Tom | http://www.tomwrote.info
It also crashes the Intel-Version (10.4.7, fully patched as well) of Safari.
clicking the Demonstration button leads to a site with that content:
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
This bug seems to be fixed in the nightly builds of Safari. You can get them here:
http://nightly.webkit.org/
Denis
If Apple fixed problem in nightly, they should rush out a final version bugfix too.
Congrats for finding the bug and not keeping it to yourself.
that also crashes Shiira browser.
Seems this has been fixed in Leopard (WWDC version)
ver 3.0 (521.24)
Doesn't seem to do anything in 10.4.8 on an Intel system, just !!!!!!!!!!!!!!!!!!!!!! show up, browser doesn't crash or hang.
Yup, the finally fixed it. Go Apple! Only took about two months to fix a remote code exec flaw in their browser.
Post a Comment
Links to this post:
Create a Link
<< Home