AOH :: HP Unsorted R :: B1A-1365.HTM

ref_fuzz and other fun bugs



ref_fuzz and other fun bugs
ref_fuzz and other fun bugs



Belated, but here are some recent bugs that you guys might find interesting:

1) DOM reference fuzzer, originally developed in 2008, crashed every
browser on the market back then. This tool attempts to crawl the DOM
object hierarchy from a particular starting point, collects object
references discovered during the crawl by recursively calling methods
and examining properties, and then reuses them in various ways after
destroying the original object. In essence, the goal is to find
use-after-free conditions across the browser codebase.

Several of the bugs triggered by the fuzzer were rediscovered
independently in the two years it took vendors to investigate; most
notably, looks like the winning Pwn2own bug is a duplicate of this.
The release of Microsoft MS10-035 and Apple APPLE-SA-2010-06-21-1
probably fixes the last of the known exploitable issues triggered by
this tool. Likely not a great argument in favor of vendor-dependent
disclosure.

Additional info:
http://lcamtuf.blogspot.com/2010/06/announcing-reffuzz-2yo-fuzzer.html 
Link to the fuzzer: http://lcamtuf.coredump.cx/ref_fuzz5.html 

2) Safari SOP bypass (CVE-2010-0544) - a difference between KURL and
CFNetwork URL parsing allows content fetched from different origins to
be considered same-origin when a particular obscure loophole in
RFC1630 used. The backstory on this vulnerability is probably
interesting, but it does not feel appropriate to paste it here in its
entirety.

Additional info:
http://lcamtuf.blogspot.com/2010/06/safari-tale-of-betrayal-and-revenge.html 
Link to PoC: http://lcamtuf.coredump.cx/sfbypass/ 

3) Address bar spoofing in Firefox (CVE-2010-1206) - an
usability-related exception causes the destination URL to be inserted
in the address bar before the destination site is actually loaded; by
calling window.stop() or navigating to HTTP 204, it is possible to
keep this URL while rendering arbitrary attacker-controlled window
contents:

Additional info:
http://lcamtuf.blogspot.com/2010/06/yeah-about-that-address-bar-thing.html 
Firefox PoC: http://lcamtuf.coredump.cx/ffox_spoof.html 
Related behavior in Safari: http://lcamtuf.coredump.cx/safari_spoof.html 

4) Some more fun with selective mid-keystroke focus redirection in
WebKit-based browsers (CVE-2010-1422) - see
http://seclists.org/fulldisclosure/2010/Mar/232 for original 
description of the vulnerability; as it turns out, the attack scenario
- where a malicious top-level window selectively redirects keystrokes
to a hidden frame - can also be trivially reversed. This allows a
malicious gadget embedded on a trusted page (say, a social site or a
search engine) to steal any text entered in the parent.

Additional info:
http://lcamtuf.blogspot.com/2010/06/curse-of-inverse-strokejacking.html 
Link to PoC: http://lcamtuf.coredump.cx/webkit-focus/toplevel2.html 

/mz

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.