Project: chromium Issues People Development process History Sign in
New issue
Advanced search Search tips
Issue 43487 ZDI-CAN-765: CSS Charset Text Transformation Vulnerability
Starred by 1 user Project Member Reported by jsc...@chromium.org, May 6 2010 Back to list
Status: Fixed
Owner:
Closed: May 2010
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: ----
Pri: 2
Type: Bug-Security
M-5

Restricted
  • Only users with EditIssue permission may comment.



Sign in to add a comment
Reported upstream at: https://bugs.webkit.org/show_bug.cgi?id=38626

ZDI-CAN-765: Apple Webkit CSS Charset Text Transformation Remote Code 
Execution
Vulnerability

-- ABSTRACT ------------------------------------------------------------

TippingPoint has identified a vulnerability affecting the following 
products:

    Apple Safari

-- VULNERABILITY DETAILS -----------------------------------------------

This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Apple Safari's Webkit. User interaction is
required to exploit this vulnerability in that the target must visit a
malicious page or open a malicious file.

The specific flaw exists within Webkit's support of character sets. If
the IBM1147 character set is applied to a particular element and that
element has a text transformation applied to it, the application will
attempt to access an object that doesn't exist in order to perform the
transformation. Successful exploitation will lead to code execution
under the context of the web-browser.

This issue occurs when WebKit applies the IBM1147 character set to a
forced linebreak represented by the "<BR>" element. If an uppercase or
lowercase text transformation is applied to the linebreak utilizing the
IBM1147 character set, the application will attempt to manipulate the
text style accessing memory that hasn't be accounted for.

This can be reproduced with the following code.
<html xmlns="http://www.w3.org/1999/xhtml">
    <style type="text/css">
        @charset IBM1147;
    </style>
    <br>
        <style type="text/css">
            br{text-transform:lowercase;}
        </style>
    </br>
</html>

Version(s)  tested: Apple Safari 4.0.4 (531.21.10)
Platform(s) tested: Windows XP SP3

-- CREDIT --------------------------------------------------------------

This vulnerability was discovered by:
    * wushi of team509

-- FURTHER DETAILS -----------------------------------------------------

If you have any questions, comm
ents, concerns or require additional
details please feel free to contact me via the following:

    Kate Fly
    Security Liaison
    TippingPoint
    kfly@tippingpoint.com
    Office: +1 512.681.8219

We can alternatively be reached via e-mail at:

    zdi-disclosures@tippingpoint.com

Our PGP key is available from:

    http://www.zerodayinitiative.com/documents/disclosures-pgp-key.asc

-- INFORMATION ABOUT THE ZDI -------------------------------------------

Established by TippingPoint, The Zero Day Initiative (ZDI) represents 
a best-of-breed model for rewarding security researchers for responsibly
disclosing discovered vulnerabilities.

The ZDI is unique in how the acquired vulnerability information is
used. TippingPoint does not re-sell the vulnerability details or any
exploit code. Instead, upon notifying the affected product vendor,
TippingPoint provides its customers with zero day protection through
its intrusion prevention technology. Explicit details regarding the
specifics of the vulnerability are not exposed to any parties until
an official vendor patch is publicly available. Furthermore, with the
altruistic aim of helping to secure a broader user base, TippingPoint
provides this vulnerability information confidentially to security
vendors (including competitors) who have a vulnerability protection or
mitigation product.

Please contact us for further information or refer to:

    http://www.zerodayinitiative.com

-- DISCLOSURE POLICY ---------------------------------------------------

Our vulnerability disclosure policy is available online at:

    http://www.zerodayinitiative.com/advisories/disclosure_policy/

 
zdi-can-765.xhtml
239 bytes View Download
Comment 1 by karen@chromium.org, May 10 2010
Labels: Mstone-5
Status: Started
Status: FixUnreleased
Committed r59795: <http://trac.webkit.org/changeset/59795>

I will let it bake on dev channel for a week before merging to v5 1st patch.
Comment 4 by jsc...@chromium.org, May 24 2010
Labels: NeedsMerge
Comment 5 by jsc...@chromium.org, May 24 2010
Labels: -Pri-1 Pri-2
Comment 6 by bugdro...@gmail.com, May 25 2010
The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=48112 

------------------------------------------------------------------------
r48112 | inferno@chromium.org | 2010-05-24 18:07:45 -0700 (Mon, 24 May 2010) | 30 lines
Changed paths:
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/ChangeLog?r1=48112&r2=48111
   A http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/fast/text/text-transform-nontext-node-crash-expected.txt
   A http://src.chromium.org/viewvc/chrome/branches/WebKit/375/LayoutTests/fast/text/text-transform-nontext-node-crash.xhtml
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/ChangeLog?r1=48112&r2=48111
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/rendering/RenderText.cpp?r1=48112&r2=48111
   M http://src.chromium.org/viewvc/chrome/branches/WebKit/375/WebCore/rendering/RenderTextFragment.cpp?r1=48112&r2=48111

Merge 59795 - 20100519  Abhishek Arya  <inferno@chromium.org>

        Reviewed by David Hyatt.

        Check that the node is a text node before doing a static cast
        to a Text class pointer.
        https://bugs.webkit.org/show_bug.cgi?id=38626    

        Test: fast/text/texttransformnontextnodecrash.xhtml

        * rendering/RenderText.cpp:
        (WebCore::RenderText::originalText):
        * rendering/RenderTextFragment.cpp:
        (WebCore::RenderTextFragment::originalText):
        (WebCore::RenderTextFragment::previousCharacter):
20100519  Abhishek Arya  <inferno@chromium.org>

        Reviewed by David Hyatt.

        Tests that text transformation applied to a nontext node
        does not result in crash.
        https://bugs.webkit.org/show_bug.cgi?id=38626        

        * fast/text/texttransformnontextnodecrashexpected.txt: Added.
        * fast/text/texttransformnontextnodecrash.xhtml: Added.


TBR=yaar@chromium.org
BUG= 43487 

------------------------------------------------------------------------

Labels: -NeedsMerge
Labels: -Restrict-View-SecurityTeam
Status: Fixed
Fixed in 5.0.375.70
Comment 9 by jsc...@chromium.org, Dec 16 2010
Labels: SecSeverity-High
Labels: Type-Security
Labels: SecImpacts-Stable
Batch update.
Project Member Comment 12 by bugdroid1@chromium.org, Oct 13 2012
Labels: Restrict-AddIssueComment-Commit
This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.
Project Member Comment 13 by bugdroid1@chromium.org, Mar 10 2013
Labels: -Area-WebKit -Mstone-5 -SecSeverity-High -Type-Security -SecImpacts-Stable Cr-Content M-5 Security-Impact-Stable Type-Bug-Security Security-Severity-High
Project Member Comment 14 by bugdroid1@chromium.org, Mar 13 2013
Labels: -Restrict-AddIssueComment-Commit Restrict-AddIssueComment-EditIssue
Project Member Comment 15 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Severity-High Security_Severity-High
Project Member Comment 16 by bugdroid1@chromium.org, Mar 21 2013
Labels: -Security-Impact-Stable Security_Impact-Stable
Project Member Comment 17 by bugdroid1@chromium.org, Apr 6 2013
Labels: -Cr-Content Cr-Blink
Project Member Comment 18 by sheriffbot@chromium.org, Oct 1 2016
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member Comment 19 by sheriffbot@chromium.org, Oct 1 2016
Labels: Restrict-View-SecurityNotify
Project Member Comment 20 by sheriffbot@chromium.org, Oct 2 2016
Labels: -Restrict-View-SecurityNotify
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic
Sign in to add a comment