Stack Exhaustion in WebKit.dll – Safari.

Well well, if you haven't already, stop using Safari! This script is very simple and very critical, it causes an Access Violation exception in WebKit.dll, which several browsers are based upon. Luckily, Google Chrome is enough sandboxed and can not be exploited trough this vulnerability.

The script simply fills the DOM document with <marquee> tags and within seconds, causes both Safari and Opera to crash. However Opera does not run WebKit but it turned out that the exploit made it crash for other reasons (http://secunia.com/advisories/39590).

I was going to debug this, but Visual Studio 2010 was unable to analyze the process however OllyDBG said:

Don't know how to step because memory at address FFF3F5FB is not readable. Try to change EIP or pass exception to program.

I have only tested this in Safari and Chrome, feel free to comment if you test in some other browser using webkit and tell us your results.

The exploit can be found here.

Update: Apparently Konqueror does not run WebKit (Webkit is based on the open source code of Konqueror), I'm sorry for this miss and thanks for pointing it out, "Arioch".

Mathias Karlsson

Sup, I'm Mathias and I was born 1991. It feels like I should really write something here.

22 Comments

1. 26/04/2010 @ 15:32

   Tweets that mention New Post: Overflow in WebKit.dll - Safari and Opera. ( ): Well well, if you haven't alre... -- Topsy.com says:

   [...] This post was mentioned on Twitter by AckAck. AckAck said: New Post: Overflow in WebKit.dll - Safari and Opera. ( http://h.ackack.net/?p=258 ): Well well, if you haven't alre... [...]

2. 

   26/04/2010 @ 19:07

   Fredrik Nordberg Almroth says:

   I just have to write this interesting error log from Opera:
   OPERA-CRASHLOG V1 desktop 10.51 3315 windows
   Opera.exe 3315 (1) caused exception C0000005 at address 00000000 (Base: 1090000)

   Registers:
   EAX=035D6470 EBX=03482B78 ECX=001AEA5C EDX=67E15018 ESI=07F3A738
   EDI=032539B8 EBP=001AEAB0 ESP=001AEA44 EIP=00000000 FLAGS=00010246
   CS=0023 DS=002B SS=002B ES=002B FS=0053 GS=002B
   FPU stack:
   00000000000000000000 00000000000000000000 00000000000000000000
   4006B300000000000000 4006B300000000000000 4003D800000000000000
   3FFF8000000000000000 00000000000000000000 SW=0126 CW=027F
   ...

   Cheers mate!

3. 

   26/04/2010 @ 19:23

   Fredrik Nordberg Almroth says:

   As i wrote two posts ago, this exploit also affects the:
   # Dolphin Browser/2.5.0 – HTC Hero
   # Chrome/??? – HTC Hero (Default Browser)
   -webbrowsers. And as said previously, we do not have the required tools to debug it. Unfortunately.

4. 

   27/04/2010 @ 20:41

   huh says:

   "Konqueror and other browsers relying on WebKit might also have this flaw but I have only tested this in Safari, Opera and Chrome"

   Opera uses Presto, not WebKit.

5. 

   27/04/2010 @ 22:16

   Mathias Karlsson says:

   Yes, we thought it did when we tried it and it would crash but it turned out to be another vulnerability in Opera (http://secunia.com/advisories/39590). I can see why the text makes you think it uses WebKit. Updated and thanks for the comment!

6. 28/04/2010 @ 02:21

   Opera Content Writing Uninitialised Memory Vulnerability « Bug-Blog says:

   [...] ORIGINAL ADVISORY: Mathias Karlsson: http://h.ackack.net/?p=258 [...]

7. 

   28/04/2010 @ 18:09

   bugmeyes says:

   Opera has already published a patch: http://my.opera.com/desktopteam/blog/2010/04/28/opera-10-53-rc1-for-windows-and-mac
   It's just a snapshot, not a "stable" release, but at least it should fix the bug.

8. 28/04/2010 @ 18:13

   Anonymous says:

   [...] [...]

9. 

   28/04/2010 @ 18:37

   Fredrik Nordberg Almroth says:

   Yeah we noticed, awesome by Opera to publish a patch that fast!

10. 

    29/04/2010 @ 03:23

    Arioch says:

    Konqueror does not use WebKit as well. so someone having KDE test it plz

11. 

    29/04/2010 @ 05:00

    physical therapist says:

    Pretty nice post. I just stumbled upon your blog and wanted to say that I have really enjoyed browsing your blog posts. In any case I’ll be subscribing to your feed and I hope you write again soon!

12. 29/04/2010 @ 17:55

    Highly Critical Vulnerability Discovered in Opera 10.52 | Hackers-Paradise By Suchit says:

    [...] it turned out that the exploit made it crash for other reasons,” the researcher writes on his blog, where an exploit is also [...]

13. 

    30/04/2010 @ 07:45

    nameboy says:

    I tried it on Opera 10.10 on FreeBSD. Didn't crash. So it affects only 10.51.

14. 

    30/04/2010 @ 17:01

    huh says:

    "Konqueror does not use WebKit as well."

    It does now. It switched to WebKit after the mess Apple made, I think.

15. 

    04/05/2010 @ 02:52

    cna training says:

    Terrific work! This is the type of information that should be shared around the web. Shame on the search engines for not positioning this post higher!

16. 

    07/05/2010 @ 17:34

    TomPier says:

    great post as usual!

17. 

    08/05/2010 @ 07:07

    Pharmacy technician resume says:

    Great site. A lot of useful information here. I’m sending it to some friends!

18. 

    11/05/2010 @ 02:02

    shirkdog says:

    Anyone have a Droid lying around?

    Just DoSed the browser on mine with this exploit.

19. 16/05/2010 @ 01:52

    The Hairy Swedish Charm Of ‘The Troll King’ | TV drama says:

    [...] Stack Exhaustion in WebKit.dll – Safari. [...]

20. 21/05/2010 @ 10:33

    Dental Clinic in Deland Florida | Deland Dental Office Florida | Deland Teeth Whitening Florida | Bright Teeth Whitening says:

    [...] Stack Exhaustion &#1110&#1495 WebKit.dll – Safari. [...]

21. 07/07/2010 @ 21:36

    Back Again! says:

    [...] yeah, Safari 5 still got the stack overflow vulnerability in WebKit which we released here, what on earth are you doing [...]

22. 

    19/08/2010 @ 02:48

    chaosink says:

    Tested on Droid with Android 2.2 just now and still crashes dolphin. Time to break out the debugger!