n.runs AG
http://www.nruns.com/ security(at)nruns.com
n.runs-SA-2009.006 23-Jun-2009
______________________________________________________________________________________________________________
Vendor: Apple Inc., http://www.apple.com
Affected Products: Safari Browser 3.2.3 all platforms
Vulnerability: Null pointer dereference lead to DoS
Risk: MEDIUM
______________________________________________________________________________________________________________
Vendor communication:
2009/06/07 Bug found
2009/06/08 Preparing PoC’s and problem description for three bug classes (n.runs-SA-2009.004 – n.runs-SA-2009.006); writing initial email
2009/06/08 Apple releases Safari 4.0 [1]
2009/06/09 Sending initial email in midnight hour (UTC/GMT +2 hours)
2009/06/09 Bot reply mail delivered; received Follow-Up ID
2009/06/09 Due to a press release n.runs is now aware of new release; testing three PoC’s; two of them seems to be fixed
2009/06/10 Apple replies and outlining “to take any report of a potential security issue very seriously.” Asking for PoC’s
2009/06/10 Sending all PoC’s with further description and outlining at the time of writing the initial email, n.runs was aware of new Safari release. Two PoC’s (n.runs-SA-2009.005 and n.runs-SA-2009.006) are not working with new Safari release but asking to have a closer look into it.
2009/06/11 Apple response two PoC’s are not working on the latest release, so Apple don’t see the need for any further action. With regards to n.runs-SA-2009.004, Apple acknowledge the issue still affects Safari 4 and is looking to fix it.
2009/06/15 n.runs informs Apple to release this advisory due to time difference
2009/06/23 n.runs releases this advisory
_______________________________________________________________________
Overview:
Quoting http://www.apple.com/safari/:
“What is Safari ?
It’s a browser. It’s a platform. It’s an open invitation to innovate. Whether on a Mac, PC, iPhone, or iPod touch, Safari continuously redefines the browser, providing the most enjoyable way to experience the Internet.”
Description:
A Null Class Pointer Dereference in CoreFoundation.dll has been found while parsing a URL fragment with a high-bit character in a common protocol handler.
In detail, the following flaw was determined:
- Safari crashes in method CFCharacterSetInitInlineBuffer because the first passed pointer argument (stored in ecx) was not sanized. Hence dereferencing a null pointer Sarafi will crash.
Excerpt from stack trace:
CoreFoundation!CFCharacterSetInitInlineBuffer+0×357
CoreFoundation!CFURLCopyFileSystemPath+0xf3
CoreFoundation!CFURLGetWideFileSystemRepresentation+0×23
CFNetwork!CFHTTPMessageSendRequest+0x6e4
CFNetwork!CFHTTPMessageSendRequest+0x96e
CFNetwork!CFHTTPMessageSendRequest+0xad2
CFNetwork!CFURLConnectionSendSynchronousRequest+0x8d7
CFNetwork!CFStreamErrorFromCFError+0x9a0
ntdll!RtlpAllocateFromHeapLookaside+0×42
ntdll!RtlAllocateHeap+0x1c2
Impact
An attacker could trigger the vulnerability by constructing a specially prepared website. When a user views the web page an unexpected application termination occurs.
Kindly note: Whether this circumstance leads to an exploitable condition was not closer investigated.
Solution:
Apple has issued an update to correct this vulnerability. For detailed information about the fixes follow the link in References [1] section of this document.
_______________________________________________________________________
Credit:
Bugs found by Alexios Fakos of n.runs AG.
_______________________________________________________________________
References:
[1] http://support.apple.com/kb/HT3613
This Advisory and Upcoming Advisories:
http://www.nruns.com/security_advisory.php
ort => 80 )
