full-disclosure-uk January 2009 archive
Main Archive Page > Month Archives  > full-disclosure-uk archives
full-disclosure-uk: [Full-disclosure] CVE-2008-2303 proof of con

[Full-disclosure] CVE-2008-2303 proof of concept and more

From: Berend-Jan Wever <berendjanwever_at_nospam>
Date: Mon Jan 05 2009 - 17:35:55 GMT
To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com, str0ke <str0ke@milw0rm.com>


CVE-2008-2303 covers an integer overflow in the handling of indices in the "arguments" array in Apple Safari that affects iPhone, iPod and PC (Mac and Windows). It was fixed in Safari 3.2 for iPhone and iPod in July and for PC in November. More details here: http://support.apple.com/kb/HT3298

Simple repro:
http:// <goog_1231173753359>skypher <goog_1231173753359>.com/
<goog_1231173753359>SkyLined <goog_1231173753359>/
<goog_1231173753359>Repro
<goog_1231173753359>/Safari/arguments%5B0x800000000%5D/
<goog_1231173753359>repro <goog_1231173753359>.html
<goog_1231173753359>

I have also created proof of concept code that shows potential exploitability and demonstrates how to use heap-spraying in Safari. AFAIK this is the first use of heap spraying in Safari, but I may be wrong. Heap spraying in Safari is not that different from other browsers, just backwards ;)

http://skypher.com/SkyLined/Repro/Safari/arguments%5B0x800000000%5D/poc.html

No, script-kiddies, it is not a working "insert download and execute code here" exploit - view source for the win!!

I have created a list of software vulnerabilities, including previously unreleased material, on my website:

http://skypher.com/wiki/index.php?title=List_of_software_vulnerabilities

Cheers,

SkyLined



Berend-Jan Wever <berendjanwever_at_gmail.com> http://skypher.com



Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/