Advisory Details

April 19th, 2011

Webkit Anonymous Frame Remote Code Execution Vulnerability

ZDI-11-139
ZDI-CAN-1035

CVE ID
CVSS SCORE 9.0, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
AFFECTED VENDORS WebKit
AFFECTED PRODUCTS WebKit
TREND MICRO CUSTOMER PROTECTION Trend Micro TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 11101. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Apple Safari Webkit. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the library's implementation of a frame element. When parsing a malformed document embedded inside an SVG document, the library will create an anonymous block around a frame element in the block's contents. When freeing this anonymous block via an assignment to the read-only .textContent attribute, a reference to one of the child elements will still exist. Accessing this child element can then lead to code execution under the context of the application.

ADDITIONAL DETAILS

Webkit fix:
http://trac.webkit.org/changeset/81611


DISCLOSURE TIMELINE
  • 2011-03-31 - Vulnerability reported to vendor
  • 2011-04-19 - Coordinated public release of advisory
CREDIT wushi of team509
BACK TO ADVISORIES