Remote exploitation of a memory corruption vulnerability in WebKit, as included with multiple vendors' browsers, could allow an attacker to execute arbitrary code with the privileges of the current user. Scalable Vector Graphics (SVG) is an XML based file format used to describe two dimensional vector graphics. It defines both a markup language, and a JavaScript interface. When processing DOM queries to SVG tags, Safari fails to handle exceptional conditions. It is possible to trigger a use after free vulnerability by query some properties of SVG tags. This leaves a C++ object pointer in an inconsistent state, which can lead to the execution of arbitrary code. Safari versions prior to 5.1 and 5.0.6 are vulnerable.
620665bfdb86a30421dd34b615a797945553c63b075518ac3852faa9ab9219e1I. BACKGROUND
WebKit is an open source web browser engine. It is currently used by
Apple Inc.'s Safari browser, as well as by Google's Chrome browser. For
more information, see the vendor's site at the following link.
http://webkit.org/
II. DESCRIPTION
Remote exploitation of a memory corruption vulnerability in WebKit, as
included with multiple vendors' browsers, could allow an attacker to
execute arbitrary code with the privileges of the current user.
Scalable Vector Graphics (SVG) is an XML based file format used to
describe two dimensional vector graphics. It defines both a markup
language, and a JavaScript interface.
When processing DOM queries to SVG tags, Safari fails to handle
exceptional conditions.
It is possible to trigger a use after free vulnerability by query some
properties of SVG tags. This leaves a C++ object pointer
in an inconsistent state, which can lead to the execution of arbitrary
code.
III. ANALYSIS
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the user viewing the web page. To exploit
this vulnerability, a targeted user must load a malicious webpage
created by an attacker. An attacker typically accomplishes this via
social engineering or injecting content into compromised, trusted sites.
After the user visits the malicious web page, no further user
interaction is needed.
IV. DETECTION
Safari versions prior to 5.1 and 5.0.6 are vulnerable.
V. WORKAROUND
Disabling JavaScript is an effective workaround for this vulnerability.
VI. VENDOR RESPONSE
Apple Inc. has released patches which addresses this issue. For more
information, consult their advisory at the following URL:
http://support.apple.com/kb/HT4808
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2011-0222 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
05/28/2011 Initial Vendor Notification
06/02/2011 Initial Vendor Reply
07/25/2011 Coordinated Public Disclosure
IX. CREDIT
This vulnerability was demonstrated by Nikita Tarakanov (CISS Research
Team) and Alex Bazhanyuk(CISS Research Team) during Positive Hack Days
Conference via hack2own contest.
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed