Use-after-free vulnerability in WebKit, as used in Apple Safari before 5.0.5; iOS before 4.3.2 for iPhone, iPod, and iPad; iOS before 4.2.7 for iPhone 4 (CDMA); and possibly other products allows remote attackers to execute arbitrary code by adding children to a WBR tag and then removing the tag, related to text nodes, as demonstrated by Chaouki Bekrar during a Pwn2Own competition at CanSecWest 2011.

**Apple, Microsoft browsers drop to first shots at the hacking contest**

Senior Reporter, Computerworld |

Apple's Safari and Microsoft's Internet Explorer (IE) both fell to the first hackers who tried their luck on the browsers at Wednesday's opening day of Pwn2Own.

The hacking challenge kicked off at 3:30 p.m. PT, slightly later than scheduled, at the CanSecWest security conference, which runs March 9-11 in Vancouver, British Columbia.

A team from the French security company Vupen walked off with $15,000 and a new MacBook Air after exploiting an unpatched vulnerability in Safari.

Earlier today, Apple updated Safari to version 5.0.4, fixing 62 vulnerabilities. But Vupen was still able to break the browser.

"Apple has just released Safari 5.0.4 and iOS 4.3 a few minutes before the Pwn2Own contest," Vupen said Wednesday afternoon on its Twitter account several hours before the contest began. "This breaks some exploits but not all!!"

HP TippingPoint, the security company that sponsors Pwn2Own, said earlier today that the last-minute Safari updates could affect who was awarded prize money.

TippingPoint's Peter Vreugdenhil said the browsers were "frozen" two weeks before today's tip-off with the then-current versions of Safari, Google's Chrome 9, Microsoft's IE8 and Mozilla's Firefox 3.6, to give researchers a stationary target.

"Exploit development does sometimes rely on certain versions and that is the reason we have frozen the devices," Vreugdenhil said in an e-mail today.

But the Safari patches still had a part to play in Vupen winning. If the vulnerability used by Vupen to hack Safari had been fixed in 5.0.4, TippingPoint would not have awarded the $15,000 prize.

Instead, the money would have gone to the first researcher who exploited the "frozen" version of Safari -- 5.0.3 was on the MacBook Air -- using a bug still present in today's update.

"As long as the latest version still has the vulnerability, and the researcher has successfully 'pwned' \[successfully compromised the computer\] with the frozen version, he or she will have won," said Vreugdenhil.

This was the first time in four years that Safari had fallen to someone other than Charlie Miller, an analyst with the security consulting group Independent Security Evaluators (ISE), and co-author of _The Mac Hackers Handbook_. Miller won at Pwn2Own in 2008, 2009 and 2010 by exploiting Safari.

Microsoft's IE8 also dropped to its first attacker, Stephen Fewer, who drew the No. 1 spot for that browser. Fewer is the founder of Harmony Security, and frequently reports bugs to TippingPoint's Zero Day Initiative (ZDI) bounty program.

To exploit IE8, Fewer bypassed Protected Mode, said Aaron Portnoy, manager of TippingPoint's security research team and the organizer of Pwn2Own for each of its five years. Protected Mode is Microsoft's name for the sandbox-like anti-exploit technology designed to isolate the browser from the operating system and the rest of the computer.

Vupen, which was waiting in the wings in case Fewer failed, did not get a chance to try its luck against IE8.

Microsoft, which has engineers from its Microsoft Security Response Center (MSRC) at the Canadian contest, said it was already on the case.

"Our top security researchers are already investigating the IE exploit used in the Pwn2Own contest," the MSRC team said via Twitter Wednesday afternoon.

Earlier this week, Microsoft had said it had not updated IE -- as Apple, Google and Mozilla all did in the days leading up to the contest -- because the move would have been too disruptive to customers.

As Jerry Bryant, a group manager with MSRC, pointed out Tuesday, TippingPoint reports the vulnerabilities exploited at Pwn2Own to vendors, who have six months to fix the flaws before TippingPoint goes public with any technical information. Thus, there is little danger of any exploited bug falling into cybercriminals' hands.

In an interview after the day's activities wrapped up, TippingPoint's Portnoy said that Firefox had been rescheduled for Thursday and that the researchers who had earlier committed to tackling Chrome had either not shown up or had decided to focus on RIM's BlackBerry smartphone.

The four smartphones will be subjected to attack Thursday, Portnoy said.

Pwn2Own's smartphone track features devices running Apple's iOS, Google's Android, Microsoft's Windows Phone 7 and RIM's BlackBerry OS. TippingPoint will award $15,000 for the first hack of each of the smartphones.

_**Gregg Keizer** covers Microsoft, security issues, Apple, Web browsers and general technology breaking news for_ Computerworld_. Follow Gregg on Twitter at  @gkeizer or subscribe to Gregg's RSS feed . His e-mail address is gkeizer@computerworld.com._

Senior Reporter Gregg Keizer covers Windows, Office, Apple/enterprise, web browsers and web apps for Computerworld.

Copyright © 2011 IDG Communications, Inc.

CVE-2011-1344: Safari, IE hacked first at Pwn2Own

Mozilla Firefox 3.0.13 and earlier, 3.5, 3.6 a1 pre, and 3.7 a1 pre; SeaMonkey 1.1.17; and Mozilla 1.7.x and earlier do not properly block data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI or (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header.  NOTE: in some product versions, the JavaScript executes outside of the context of the HTTP site.

23:55 11.07.2009

В минулому місяці я писав про Cross-Site Scripting уразливості в Mozilla, Internet Explorer, Opera та Chrome. Яка дозволяє виконання JavaScript коду через заголовок refresh (зазначу, що подібну атаку також можна реалізувати через інший вектор - через meta-refresh тег). Дана уразливість була виправлена Мозілою в Firefox 3.0.9.

Так от нещодавно, 06.07.2009, я знайшов можливість обходу даного захисту в Firefox. Також даний метод XSS атак працює в Mozilla та Chrome.

Для обходу захисту від виконання JavaScript коду через заголовок refresh потрібно використати data: URI, в якому буде вже міститися необхідний JS код. Цей метод для проведення XSS атак через meta-refresh тег вже давно відомий - він був в XSS Cheat Sheet ще в 2006 році. І от його я використав для обходу захисту в Firefox та для проведення атак через refresh-header редиректори.

XSS:

Вектори атаки через meta-refresh тег та заголовок refresh:

<meta http-equiv="refresh" content="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+">

При запиті до скрипта на сайті:  
http://site/script.php?param=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2b  
Що поверне у відповіді заголовок refresh і код виконається у браузері:  
refresh: 0; URL=data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ%2b

Через data: можна обійти в Firefox 3.0.9 і вище (тестував в 3.0.11) заборону на виконання JavaScript коду в заголовку refresh. Тільки в Firefox 3.0.11 і Google Chrome таким чином до кукісів не дістатися, зате це можна зробити в старій Mozilla.

Уразлива версія Mozilla 1.7.x та попередні версії.

Уразлива версія Mozilla Firefox 3.0.11 (і 3.5 також повинен бути уразливим) та попередні версії.

Уразлива версія Google Chrome 1.0.154.48 та попередні версії (і потенційно наступні версії).

This entry was posted on 23:55 11.07.2009 and is filed under Уразливості. You can follow any responses to this entry through the RSS 2.0 feed.

Tag

#chrome