TITLE: WEBKIT (APPLE SAFARI < 4.1.2/5.0.2 & GOOGLE CHROME < 5.0.375.125) MEMORY CORRUPTION VULNERABILITY
TESTED OS: WINDOWS XP SP3
SEVERITY: HIGH
CVE-NUMBER: CVE-2010-1813
DISCOVERED DATE: 2010-06-29
FIXED DATE: GOOGLE CHROME (2010-07-26) & APPLE SAFARI (2010-09-08)
FIXED VERSIONS: GOOGLE CHROME 5.0.375.125 & APPLE SAFARI 4.1.2/5.0.2
DISCOVERED BY: JOSE A. VAZQUEZ
======ABOUT APPLICATION======
"WebKit is an open source web browser engine. WebKit is also the name of the Mac OS X system framework version
of the engine that's used by Safari, Dashboard, Mail, and many other OS X applications. WebKit's HTML and
JavaScript code began as a branch of the KHTML and KJS libraries from KDE..." copied from http://webkit.org/
======DESCRIPTION======
A memory corruption vulnerability was confirmed by Chromium Security Team. Original stacktrace showed a null ptr
dereference, but some pointers were also corrupted.
Stacktrace (using Chrome symbols):
WebCore::RenderObject::containingBlock() Line 597
WebCore::RenderBlock::paintContinuationOutlines() Line 2344
WebCore::RenderBlock::paintObject() Line 2232
WebCore::RenderBlock::paint() Line 1980
WebCore::RenderLayer::paintLayer() Line 2447
WebCore::RenderLayer::paintList() Line 2499
WebCore::RenderLayer::paintLayer() Line 2468
WebCore::RenderLayer::paint() Line 2252
WebCore::FrameView::paintContents() Line 1943
WebCore::ScrollView::paint() Line 797
WebCore::RenderWidget::paint() Line 281
WebCore::InlineBox::paint() Line 180
WebCore::InlineFlowBox::paint() Line 682
WebCore::RootInlineBox::paint() Line 167
WebCore::RenderLineBoxList::paint() Line 219
WebCore::RenderBlock::paintContents() Line 2090
WebCore::RenderBlock::paintObject() Line 2199
WebCore::RenderBlock::paint() Line 1980
WebCore::RenderBlock::paintChildren() Line 2127
WebCore::RenderBlock::paintContents() Line 2092
WebCore::RenderBlock::paintObject() Line 2199
WebCore::RenderBlock::paint() Line 1980
WebCore::RenderLayer::paintLayer() Line 2445
WebCore::RenderLayer::paintList() Line 2499
WebCore::RenderLayer::paintLayer() Line 2468
WebCore::RenderLayer::paint() Line 2252
WebCore::FrameView::paintContents() Line 1943
WebCore::ScrollView::paint() Line 797
WebKit::WebFrameImpl::paintWithContext() Line 1795
WebKit::WebFrameImpl::paint() Line 1818
WebKit::WebViewImpl::paint() Line 979
RenderWidget::PaintRect() Line 390
RenderWidget::DoDeferredUpdate() Line 501
RenderWidget::CallDoDeferredUpdate() Line 428
Standard Time Zone: GMT/UTC + 01:00 hour (Spain/Madrid)
[2010-06-29] => Posted new issue in Chromium Project (with pocs).
[2010-06-29] => Chromium confirmed memory corruption and opened new webkit bug.
[2010-07-26] => Chromium released new fix (Google Chrome 5.0.375.125).
[2010-09-08] => Apple released new fix (Apple Safari 4.1.2/5.0.2).
[2010-09-10] => Public disclosure.
======CREDITS=======
Jose Antonio Vazquez Gonzalez,
Telecom. Engineer & Sec. Researcher.
http://spa-s3c.blogspot.com/