About | Buy | Industry Watch | Learning Curve | Products | Search | Test Drive
Home » Industry Watch » Safari KHTMLParser::popOneBlock

Safari KHTMLParser::popOneBlock

A new bug in Apple's web browser causes it to crash and may lead to arbitrary code execution.

Discovered by Jose Avila, the following bug was tested on the latest version of Safari on 31 July 2006 on a fully patched 10.4 PPC system. Safari will dereference and call a pointer from the heap if a script element inside a div element redefines the document body.

Arbitrary code execution is possible. Avila asks for more time to develop a reliable exploit. Avila adds the observation that although this code was initially 'borrowed' from KDE it does not affect Konqueror 3.5.3. Readers are left to draw their own conclusions.

Crash Reporter

Crash Reporter shows the following on execution of the exploit.

Program received signal EXC_BAD_INSTRUCTION, Illegal instruction/operand.
(gdb) x/i $pc
0x4aeec58: .long 0x690074

#0  0x04aeec58 in ?? ()
#1  0x95c6f884 in KHTMLParser::popOneBlock ()
#2  0x95c43998 in KHTMLParser::freeBlock ()
#3  0x95cdff3c in KHTMLParser::finished ()
#4  0x95cdfe7c in khtml::HTMLTokenizer::end ()
#5  0x95c7ec8c in khtml::HTMLTokenizer::finish ()
#6  0x95d90358 in KHTMLPart::endIfNotLoading ()

0x95c6f8c4 <_ZN11KHTMLParser11popOneBlockEb+132>: lwz     r2,0(r3)
0x95c6f8c8 <_ZN11KHTMLParser11popOneBlockEb+136>: lwz     r12,268(r2)
0x95c6f8cc <_ZN11KHTMLParser11popOneBlockEb+140>: mtctr   r12
0x95c6f8d0 <_ZN11KHTMLParser11popOneBlockEb+144>: bctrl

Test It Yourself

Click here to test your own version of Safari. Note you must have JavaScript enabled.

About | ACP | Buy | Industry Watch | Learning Curve | Search | Test Drive
Copyright © Rixstep. All rights reserved.