lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CANSq7mWgQHswesS_DVHQdKjhEc-4VYaT=Hgp0u7RG50r_Y3kRQ@mail.gmail.com>
Date: Mon, 25 Jul 2011 02:49:29 +0400
From: CISSRT Hot Summer <cisshotsummer@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: CISS Research Team Advisory: CVE-2011-0222

I. BACKGROUND

WebKit is an open source web browser engine. It is currently used by
Apple Inc.'s Safari browser, as well as by Google's Chrome browser. For
more information, see the vendor's site at the following link.

http://webkit.org/

II. DESCRIPTION

Remote exploitation of a memory corruption vulnerability in WebKit, as
included with multiple vendors' browsers, could allow an attacker to
execute arbitrary code with the privileges of the current user.

Scalable Vector Graphics (SVG) is an XML based file format used to
describe two dimensional vector graphics. It defines both a markup
language, and a JavaScript interface.

When processing DOM queries to SVG tags, Safari fails to handle
exceptional conditions.
It is possible to trigger a use after free vulnerability by query some
properties of SVG tags. This leaves a C++ object pointer
in an inconsistent state, which can lead to the execution of arbitrary
code.

III. ANALYSIS

Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the user viewing the web page. To exploit
this vulnerability, a targeted user must load a malicious webpage
created by an attacker. An attacker typically accomplishes this via
social engineering or injecting content into compromised, trusted sites.
After the user visits the malicious web page, no further user
interaction is needed.

IV. DETECTION

Safari versions prior to 5.1 and 5.0.6 are vulnerable.

V. WORKAROUND

Disabling JavaScript is an effective workaround for this vulnerability.

VI. VENDOR RESPONSE

Apple Inc. has released patches which addresses this issue. For more
information, consult their advisory at the following URL:

http://support.apple.com/kb/HT4808

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2011-0222 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

05/28/2011  Initial Vendor Notification
06/02/2011  Initial Vendor Reply
07/25/2011  Coordinated Public Disclosure

IX. CREDIT

This vulnerability was demonstrated by Nikita Tarakanov (CISS Research
Team) and Alex Bazhanyuk(CISS Research Team) during Positive Hack Days
Conference via hack2own contest.

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ