Apple Safari 拒绝服务漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1182321 漏洞类型 输入验证
发布时间 2009-06-23 更新时间 2009-07-20
CVE编号 CVE-2009-2420 CNNVD-ID CNNVD-200907-154
漏洞平台 N/A CVSS评分 5.8
|漏洞来源
https://www.securityfocus.com/bid/35482
https://cxsecurity.com/issue/WLB-2009060060
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200907-154
|漏洞详情
AppleSafari3.2.3没有适当地处理文件协议,这会允许远程攻击者通过包含未知HTML标签的向量来阅读任意文件或造成服务拒绝(突然弹出多个Windows资源管理器)。
|漏洞EXP
n.runs AG
http://www.nruns.com/                             security(at)nruns.com
n.runs-SA-2009.005                                          23-Jun-2009
________________________
Vendor:                Apple Inc., http://www.apple.com
Affected Products:     Safari Browser 3.2.3 all platforms
Vulnerability:         Information disclosure to Denial of Service 
Risk:                  MEDIUM
________________________
Vendor communication:

2009/06/07    Bug found
2009/06/08    Preparing PoC's and problem description for three bug 
              classes (n.runs-SA-2009.004 - n.runs-SA-2009.006); 
              writing initial email
2009/06/08    Apple releases Safari 4.0 [1]
2009/06/09    Sending initial email in midnight hour (UTC/GMT +2 hours)
2009/06/09    Bot reply mail delivered; received Follow-Up ID
2009/06/09    Due to a press release n.runs is now aware of new release;
              testing three PoC's; two of them seems to be fixed
2009/06/10    Apple replies and outlining "to take any report of a 
              potential security issue very seriously." Asking for PoC's
2009/06/10    Sending all PoC's with further description and outlining
              at the time of writing the initial email, n.runs was aware
              of new Safari release. Two PoC's (n.runs-SA-2009.005 and 
              n.runs-SA-2009.006) are not working with new Safari 
              release but asking to have a closer look into it.  
2009/06/11    Apple response two PoC's are not working on the latest 
              release, so Apple don't see the need for any further 
              action. With regards to n.runs-SA-2009.004, Apple 
              acknowledge the issue still affects Safari 4 and is 
              looking to fix it.
2009/06/15    n.runs informs Apple to release this advisory             
              due to time difference                    
2009/06/23    n.runs releases this advisory

________________________

Overview:

Quoting http://www.apple.com/safari/:
"What is Safari ?
It's a browser. It's a platform. It's an open invitation to innovate. 
Whether on a Mac, PC, iPhone, or iPod touch, Safari continuously 
redefines the browser, providing the most enjoyable way to experience 
the Internet."



Description:

Passing the file protocol handler to a certain HTML allows to read local 
files. 
On Windows it is possible to create an instance of Windows Explorer by 
calling an executable file. Other operating systems were not tested.  


In detail, the following flaw was determined:

- Safari fails to sanitaze the file protocol handler thus leading to an 
  information disclosure, e.g. local file theft. 
  Creating dynamically a certain HTML tag and using a valid file path to
  an executable may lead to a Denial of Service condition.



Impact

An attacker could trigger the vulnerability by constructing a specially
prepared html file. When a user views this file, local content can be 
send to a third party. Additionaly, various ghost instances of Window 
Explorer may harm the stability of the users system.



Solution:

Apple has issued an update to correct this vulnerability.
For detailed information about the fixes follow the link in
References [1] section of this document.

________________________
Credit: 
Bugs found by Alexios Fakos of n.runs AG. 
________________________
References: 
[1] http://support.apple.com/kb/HT3613


This Advisory and Upcoming Advisories:
http://www.nruns.com/security_advisory.php
________________________
Unaltered electronic reproduction of this advisory is permitted. For 
all other reproduction or publication, in printing or otherwise, 
contact security_at_nruns.com for permission. Use of the advisory 
constitutes acceptance for use in an "as is" condition. All warranties
are excluded. In no event shall n.runs be liable for any damages 
whatsoever including direct, indirect, incidental, consequential loss 
of business profits or special damages, even if n.runs has been advised
of the possibility of such damages. 

Copyright 2009 n.runs AG. All rights reserved. Terms of use apply.

|受影响的产品
Apple Safari For Windows 3.2.1 Apple Safari 3.2.3 for Windows Apple Safari 3.2.3 Apple Safari 3.2.2 for Windows Apple Safari 3.1.2 for Windows Apple Safari 3.1.2
|参考资料

来源:BID
名称:35482
链接:http://www.securityfocus.com/bid/35482
来源:BUGTRAQ
名称:20090623n.runs-SA-2009.005-AppleSafari-Informationdisclosure
链接:http://www.securityfocus.com/archive/1/archive/1/504480/100/0/threaded