lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 5 Jan 2009 18:35:55 +0100
From: "Berend-Jan Wever" <berendjanwever@...il.com>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com, 
	str0ke <str0ke@...w0rm.com>
Subject: CVE-2008-2303 proof of concept and more

CVE-2008-2303 covers an integer overflow in the handling of indices in
the "arguments" array in Apple Safari that affects iPhone, iPod and PC
(Mac and Windows). It was fixed in Safari 3.2 for iPhone and iPod in
July and for PC in November. More details here:
http://support.apple.com/kb/HT3298


Simple repro:
http:// <goog_1231173753359>skypher <goog_1231173753359>.com/
<goog_1231173753359>SkyLined <goog_1231173753359>/
<goog_1231173753359>Repro
<goog_1231173753359>/Safari/arguments%5B0x800000000%5D/
<goog_1231173753359>repro <goog_1231173753359>.html
<goog_1231173753359>

I have also created proof of concept code that shows potential
exploitability and demonstrates how to use heap-spraying in Safari.
AFAIK this is the first use of heap spraying in Safari, but I may be
wrong. Heap spraying in Safari is not that different from other
browsers, just backwards ;)

http://skypher.com/SkyLined/Repro/Safari/arguments%5B0x800000000%5D/poc.html

No, script-kiddies, it is not a working "insert download and execute
code here" exploit - view source for the win!!


I have created a list of software vulnerabilities, including
previously unreleased material, on my website:

http://skypher.com/wiki/index.php?title=List_of_software_vulnerabilities


Cheers,


SkyLined


--------------------------------------------------------------------------------------------------------
Berend-Jan Wever <berendjanwever@...il.com> http://skypher.com

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ