viernes, 10 de septiembre de 2010

:::SPAS3C-SV-002:::WEBKIT (APPLE SAFARI < 4.1.2/5.0.2 & CHROME < 5.0.375.125) MEMORY CORRUPTION VULNERABILITY (CVE-2010-1813)

This time, I'm going to post a new remote software advisory, which was fixed about one month ago, but i couldn't post because i was waiting an advisory and fix from Safari. Now fix is out, so i can post my own advisory.


-------------------------START-ADVISORY-------------------------------



TITLE: WEBKIT (APPLE SAFARI < 4.1.2/5.0.2 & GOOGLE CHROME < 5.0.375.125) MEMORY CORRUPTION VULNERABILITY
TESTED OS: WINDOWS XP SP3
SEVERITY: HIGH
CVE-NUMBER: CVE-2010-1813
DISCOVERED DATE: 2010-06-29
FIXED DATE: GOOGLE CHROME (2010-07-26) & APPLE SAFARI (2010-09-08)
FIXED VERSIONS: GOOGLE CHROME 5.0.375.125 & APPLE SAFARI 4.1.2/5.0.2
DISCOVERED BY: JOSE A. VAZQUEZ


======ABOUT APPLICATION======

"WebKit is an open source web browser engine. WebKit is also the name of the Mac OS X system framework version of the engine that's used by Safari, Dashboard, Mail, and many other OS X applications. WebKit's HTML and JavaScript code began as a branch of the KHTML and KJS libraries from KDE..." copied from http://webkit.org/


======DESCRIPTION======

A memory corruption vulnerability was confirmed by Chromium Security Team. Original stacktrace showed a null ptr dereference, but some pointers were also corrupted.

Stacktrace (using Chrome symbols):

WebCore::RenderObject::containingBlock() Line 597
WebCore::RenderBlock::paintContinuationOutlines() Line 2344
WebCore::RenderBlock::paintObject() Line 2232
WebCore::RenderBlock::paint() Line 1980
WebCore::RenderLayer::paintLayer() Line 2447
WebCore::RenderLayer::paintList() Line 2499
WebCore::RenderLayer::paintLayer() Line 2468
WebCore::RenderLayer::paint() Line 2252
WebCore::FrameView::paintContents() Line 1943
WebCore::ScrollView::paint() Line 797
WebCore::RenderWidget::paint() Line 281
WebCore::InlineBox::paint() Line 180
WebCore::InlineFlowBox::paint() Line 682
WebCore::RootInlineBox::paint() Line 167
WebCore::RenderLineBoxList::paint() Line 219
WebCore::RenderBlock::paintContents() Line 2090
WebCore::RenderBlock::paintObject() Line 2199
WebCore::RenderBlock::paint() Line 1980
WebCore::RenderBlock::paintChildren() Line 2127
WebCore::RenderBlock::paintContents() Line 2092
WebCore::RenderBlock::paintObject() Line 2199
WebCore::RenderBlock::paint() Line 1980
WebCore::RenderLayer::paintLayer() Line 2445
WebCore::RenderLayer::paintList() Line 2499
WebCore::RenderLayer::paintLayer() Line 2468
WebCore::RenderLayer::paint() Line 2252
WebCore::FrameView::paintContents() Line 1943
WebCore::ScrollView::paint() Line 797
WebKit::WebFrameImpl::paintWithContext() Line 1795
WebKit::WebFrameImpl::paint() Line 1818
WebKit::WebViewImpl::paint() Line 979
RenderWidget::PaintRect() Line 390
RenderWidget::DoDeferredUpdate() Line 501
RenderWidget::CallDoDeferredUpdate() Line 428



======PROOF OF CONCEPT======

http://pastebin.com/v7T0QK5g


======STEPS TO REPRODUCE======

1.- Upload 1.html and 2.html to your server.
2.- Open file 1.html with vulnerable app.


-Google Chrome:

3.- Wait for a while, then, crash is got (sad-tab).

-Apple Safari:

3.- Wait for a while, if crash is not got, use Ctrl+T to trigger it.



======REFERENCES======

[ref-1] -> https://bugs.webkit.org/show_bug.cgi?id=41373
[ref-2] -> http://googlechromereleases.blogspot.com/2010/07/stable-channel-update_26.html
[ref-3] -> http://support.apple.com/kb/HT4334
[ref-4] -> http://spa-s3c.blogspot.com/2010/09/full-responsible-disclosurewebkit-apple.html


======DISCLOSURE TIMELINE======

Standard Time Zone: GMT/UTC + 01:00 hour (Spain/Madrid)

[2010-06-29] => Posted new issue in Chromium Project (with pocs).
[2010-06-29] => Chromium confirmed memory corruption and opened new webkit bug.
[2010-07-26] => Chromium released new fix (Google Chrome 5.0.375.125).
[2010-09-08] => Apple released new fix (Apple Safari 4.1.2/5.0.2).
[2010-09-10] => Public disclosure.



======CREDITS=======

Jose Antonio Vazquez Gonzalez,
Telecom. Engineer & Sec. Researcher.
http://spa-s3c.blogspot.com/


-------------------------END-ADVISORY-------------------------------


That's all. Be safe ;)