Re: Safari HTTPS Overflow

From: Braden Thomas (braden127_at_myrealbox.com)
Date: 04/29/05

  • Next message: Markus Stenzel: "Re: [bugtraq] Re: Borland Security Contact" 
    Date: Thu, 28 Apr 2005 19:29:14 -0700
To: Gilbert Verdian <gverdian@neoresearch.org>

    Gilbert –
            This appears to be an issue where Safari is calling
    CFSocketEnableCallBacks on a null CFSocketRef. Not an overflow. An
    overflow would require a buffer, somewhere, to have overflowed. This
    is not happening at all. Just because a program crashes when you send
    it a relatively long string does not define it as an overflow. Look at
    the crash report:

    Exception: EXC_BAD_ACCESS (0x0001)
    Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x0000000c

            Also, did you notify Apple
    (https://bugreport.apple.com/cgi-bin/WebObjects/RadarWeb.woa) of this
    bug, or did you just figure they'd hear about it through the grapevine?

    Braden Thomas

    On Apr 28, 2005, at 2:08 PM, Gilbert Verdian wrote:

    > Found a bug in the latest Safari that comes with Panther 10.3.9 -
    > Safari 1.3 (v312), previous versions of Panther are also vulnerable.
    >
    > The problem is with the URI input for HTTPS which causes Safari to
    > crash by inputting a large amount of A's i.e.
    >
    > https://
    > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    > AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
    >
    > Did a debug of the crash, but it kept crashing in a spin_lock while
    > reading from the text segment. Will post more details when have more
    > info on it.
    >
    > Gilbert Verdian
    > neoresearch.org

  • Next message: Markus Stenzel: "Re: [bugtraq] Re: Borland Security Contact"

    Relevant Pages

    • Re: (part 30) Han from China answers your C questions
      ... What "Han from China" apparently is ... is better than code that crashes. ... Allowing the program to write all over memory is certainly no guarantee that the program is going to crash either. ... While not being the "perfect" solution, the Han from China approach is orders of magnitude better than allowing an overflow in this example. ...
      (comp.lang.c)
    • [Full-Disclosure] (no subject)
      ... We checked both EMF and WMF files out and changed around the sizes and it ... did not crash Windows XP ... Windows XP explorer.exe heap overflow. ...
      (Full-Disclosure)
    • [Full-Disclosure] Re: Windows XP explorer.exe heap overflow.
      ... We checked both EMF and WMF files out and changed around the sizes and it ... did not crash Windows XP ... Windows XP explorer.exe heap overflow. ...
      (Full-Disclosure)
    • Re: Oveflow Error while building an image, Code = 0x800a0006
      ... seen one TD crash on FP2007 so far and it was an extreme case when I was ... filing a bug to Microsoft about ... Description = Overflow ... Build machine OS is XP Pro SP2. ...
      (microsoft.public.windowsxp.embedded)
    • Re: signed int overflow
      ... what the hell kind of implementation would allow this?! ... Open a few documents, play minesweeper, CRASH ... (Opps sorry, this computer is shit, it crashes if signed integers overflow). ... I'm going to ignore the directive that signed int overflow is undefined ...
      (comp.lang.cpp)