‘WebKit WBR Tag Removal Code Execution Vulnerability’

Published on June 15th, 2011
Summary

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Webkit.’

Credit:

‘The information has been provided by Vupen Security.
The original article can be found at: http://www.zerodayinitiative.com/advisories/ZDI-11-135/


Details

Vulnerable Systems:
 * WebKit WebKit

User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the way the Webkit library handles WBR tags on a webpage. By adding children to a WBR tag and then consequently removing the tag through, for example, a ‘removeChild’ call it is possible to create a dangling pointer that can result in remote code execution under the context of the current user.

Patch Availability:
Google patch on March 12, 2011:
http://googlechromereleases.blogspot.com/2011/03/stable-and-beta-channel-updates.html

Apple patch on April 14, 2011:
http://support.apple.com/kb/HT4606
http://support.apple.com/kb/HT4607
http://support.apple.com/kb/HT4596

Webkit fix:
http://trac.webkit.org/changeset/79689

CVE Information:
CVE-2011-1344

Disclosure Timeline:
2011-03-31 – Vulnerability reported to vendor
2011-04-14 – Coordinated public release of advisory’

Categories: UNIX
Tags:

Related Posts

UNIX

‘ProFTPD Response Pool Use-After-Free Code Execution Vulnerability’

'This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of the ProFTPd server.'

UNIX

‘Insight Control for Linux Multiple Vulnerabilities’

'Remote unauthorized elevation of privilege, execution of arbitrary code, encryption downgrade, information disclosure and Denial of Service (DoS) vulnerabilities were identified in Insight Control for Linux.'

UNIX

‘HP-UX Running NFS/ONCplus Denial of Service Vulnerability’

'A potential security vulnerability has been identified with NFS/ONCplus running on HP-UX.'