Vulnerabilities > CVE-2008-2317 - Resource Management Errors vulnerability in Apple Safari

047910
CVSS 9.3 - CRITICAL
Attack vector
NETWORK
Attack complexity
MEDIUM
Privileges required
NONE
Confidentiality impact
COMPLETE
Integrity impact
COMPLETE
Availability impact
COMPLETE
network
apple
CWE-399
critical
nessus

Summary

WebCore in Apple Safari does not properly perform garbage collection of JavaScript document elements, which allows remote attackers to execute arbitrary code or cause a denial of service (heap corruption and application crash) via a reference to the ownerNode property of a copied CSSStyleSheet object of a STYLE element, as originally demonstrated on Apple iPhone before 2.0 and iPod touch before 2.0, a different vulnerability than CVE-2008-1590.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SAFARI3_2.NASL
    descriptionThe version of Apple Safari installed on the remote Mac OS X host is earlier than 3.2. As such, it is potentially affected by several issues : - A signedness issue in Safari
    last seen2020-06-01
    modified2020-06-02
    plugin id34773
    published2008-11-14
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/34773
    titleMac OS X : Apple Safari < 3.2
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(34773);
      script_version("1.16");
      script_cvs_date("Date: 2018/07/14  1:59:35");
    
      script_cve_id(
        # "CVE-2005-2096",
        # "CVE-2008-1767",
        "CVE-2008-2303",
        "CVE-2008-2317",
        # "CVE-2008-2327",
        # "CVE-2008-2332",
        # "CVE-2008-3608",
        # "CVE-2008-3623",
        # "CVE-2008-3642",
        "CVE-2008-3644",
        "CVE-2008-4216"
      );
      script_bugtraq_id(32291);
    
      script_name(english:"Mac OS X : Apple Safari < 3.2");
      script_summary(english:"Check the Safari SourceVersion");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host contains a web browser that is affected by several
    issues.");
      script_set_attribute(attribute:"description", value:
    "The version of Apple Safari installed on the remote Mac OS X host is
    earlier than 3.2.  As such, it is potentially affected by several
    issues :
    
      - A signedness issue in Safari's handling of JavaScript 
        array indices could lead to a crash or arbitrary code 
        execution. (CVE-2008-2303)
    
      - A memory corruption issue in WebCore's handling of style
        sheet elements could lead to a crash or arbitrary code 
        execution. (CVE-2008-2317)
    
      - Disabling autocomplete on a form field may not prevent 
        the data in the field from being stored in the browser 
        page cache. (CVE-2008-3644)
    
      - WebKit's plug-in interface does not block plug-ins from 
        launching local URLs, which could allow a remote 
        attacker to launch local files in Safari and lead to the 
        disclosure of sensitive information. (CVE-2008-4216)");
      script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT3298");
      script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2008/Nov/msg00001.html");
      script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/advisories/15730");
      script_set_attribute(attribute:"solution", value:"Upgrade to Apple Safari 3.2 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_cwe_id(189, 200, 399);
    
      script_set_attribute(attribute:"plugin_publication_date", value:"2008/11/14");
      script_set_attribute(attribute:"patch_publication_date", value:"2008/11/13");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:safari");
      script_end_attributes();
     
      script_category(ACT_GATHER_INFO);
      script_family(english:"MacOS X Local Security Checks");
     
      script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
     
      script_dependencies("macosx_Safari31.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/uname", "Host/MacOSX/Version", "MacOSX/Safari/Installed");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled.");
    os = get_kb_item("Host/MacOSX/Version");
    if (!os) audit(AUDIT_OS_NOT, "Mac OS X");
    
    uname = get_kb_item_or_exit("Host/uname");
    if (!egrep(pattern:"Darwin.* (8\.|9\.([0-4]\.|5\.0))", string:uname)) audit(AUDIT_OS_NOT, "Mac OS X 10.4 / 10.5");
    
    
    get_kb_item_or_exit("MacOSX/Safari/Installed");
    path = get_kb_item_or_exit("MacOSX/Safari/Path", exit_code:1);
    version = get_kb_item_or_exit("MacOSX/Safari/Version", exit_code:1);
    
    fixed_version = "3.2";
    
    if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1)
    {
      if (report_verbosity > 0)
      {
        report = 
          '\n  Installed version : ' + version + 
          '\n  Fixed version     : ' + fixed_version + '\n';
        security_hole(port:0, extra:report);
      }
      else security_hole(0);
    }
    else audit(AUDIT_INST_VER_NOT_VULN, "Safari", version);
    
  • NASL familyWindows
    NASL idSAFARI_3_2.NASL
    descriptionThe version of Safari installed on the remote Windows host is earlier than 3.2. Such versions are potentially affected by several issues : - Safari includes a version of zlib that is affected by multiple vulnerabilities. (CVE-2005-2096) - A heap-based buffer overflow issue in the libxslt library could lead to a crash or arbitrary code execution. (CVE-2008-1767) - A signedness issue in Safari
    last seen2020-06-01
    modified2020-06-02
    plugin id34772
    published2008-11-14
    reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/34772
    titleSafari < 3.2 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(34772);
      script_version("1.14");
      script_cvs_date("Date: 2018/07/27 18:38:15");
    
      script_cve_id(
        "CVE-2005-2096",
        "CVE-2008-1767",
        "CVE-2008-2303",
        "CVE-2008-2317",
        "CVE-2008-2327",
        "CVE-2008-2332",
        "CVE-2008-3608",
        "CVE-2008-3623",
        "CVE-2008-3642",
        "CVE-2008-3644",
        "CVE-2008-4216"
      );
      script_bugtraq_id(14162, 29312, 30832, 32291);
    
      script_name(english:"Safari < 3.2 Multiple Vulnerabilities");
      script_summary(english:"Checks version number of Safari");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote host contains a web browser that is affected by several
    issues." );
      script_set_attribute(attribute:"description", value:
    "The version of Safari installed on the remote Windows host is earlier
    than 3.2.  Such versions are potentially affected by several issues :
    
      - Safari includes a version of zlib that is affected by
        multiple vulnerabilities. (CVE-2005-2096)
    
      - A heap-based buffer overflow issue in the libxslt library
        could lead to a crash or arbitrary code execution.
        (CVE-2008-1767)
    
      - A signedness issue in Safari's handling of JavaScript
        array indices could lead to a crash or arbitrary code
        execution. (CVE-2008-2303)
    
      - A memory corruption issue in WebCore's handling of style
        sheet elements could lead to a crash or arbitrary code
        execution. (CVE-2008-2317)
    
      - Multiple uninitialized memory access issues in libTIFF's
        handling of LZW-encoded TIFF images could lead to a
        crash or arbitrary code execution. (CVE-2008-2327)
    
      - A memory corruption issue in ImageIO's handling of TIFF
        images could lead to a crash or arbitrary code
        execution. (CVE-2008-2332).
    
      - A memory corruption issue in ImageIO's handling of
        embedded ICC profiles in JPEG images could lead to a
        crash or arbitrary code execution. (CVE-2008-3608)
    
      - A heap-based buffer overflow in CoreGraphics' handling
        of color spaces could lead to a crash or arbitrary code
        execution. (CVE-2008-3623)
    
      - A buffer overflow in the handling of images with an
        embedded ICC profile could lead to a crash or arbitrary
        code execution. (CVE-2008-3642)
    
      - Disabling autocomplete on a form field may not prevent
        the data in the field from being stored in the browser
        page cache. (CVE-2008-3644)
    
      - WebKit's plug-in interface does not block plug-ins from
        launching local URLs, which could allow a remote
        attacker to launch local files in Safari and lead to the
        disclosure of sensitive information. (CVE-2008-4216)" );
      script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT3298" );
      script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2008/Nov/msg00001.html" );
      script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/advisories/15730" );
      script_set_attribute(attribute:"solution", value:"Upgrade to Safari 3.2 or later." );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
      script_set_attribute(attribute:"canvas_package", value:'CANVAS');
      script_cwe_id(119, 189, 200, 399);
      script_set_attribute(attribute:"plugin_publication_date", value: "2008/11/14");
      script_set_attribute(attribute:"vuln_publication_date", value: "2005/07/07");
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:safari");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Windows");
    
      script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
    
      script_dependencies("safari_installed.nasl");
      script_require_keys("SMB/Safari/FileVersion");
    
      exit(0);
    }
    
    
    include("global_settings.inc");
    
    
    ver = get_kb_item("SMB/Safari/FileVersion");
    if (isnull(ver)) exit(0);
    
    iver = split(ver, sep:'.', keep:FALSE);
    for (i=0; i<max_index(iver); i++)
      iver[i] = int(iver[i]);
    
    if (
      iver[0] < 3 ||
      (
        iver[0] == 3 &&
        (
          iver[1] < 525 ||
          (
            iver[1] == 525 && 
            (
              iver[2] < 26 ||
              (iver[2] == 26 && iver[3] < 13)
            )
          )
        )
      )
    )
    {
      if (report_verbosity)
      {
        prod_ver = get_kb_item("SMB/Safari/ProductVersion");
        if (!isnull(prod_ver)) ver = prod_ver;
    
        report = string(
          "\n",
          "Safari version ", ver, " is currently installed on the remote host.\n"
        );
        security_hole(port:get_kb_item("SMB/transport"), extra:report);
      }
      else security_hole(get_kb_item("SMB/transport"));
    }
    

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 30186 CVE(CAN) ID: CVE-2008-1588,CVE-2008-1589,CVE-2008-2303,CVE-2008-2317,CVE-2008-1590 iPod touch(也被称为iTouch)是苹果公司发布的MP4播放器,iPhone是其发布的智能手机。 iPhone和iPod Touch都内嵌了Safari浏览器,远程攻击者可以利用该浏览器中的多个安全漏洞导致拒绝服务、读取敏感信息或执行任意代码。 CVE-2008-1588 Safari在地址栏中显示当前URL时会呈现Unicode表意空间,这允许恶意站点将用户引导到看起来类似于合法域的欺骗站点。 CVE-2008-1589 当Safari访问了使用自签名或无效证书的站点时,会提示用户接受或拒绝证书。如果用户在提示时按下了菜单键,则在下一次访问该站点就会未经提示便接受该证书,这可能导致泄露敏感信息。 CVE-2008-2303 Safari处理JavaScript数组索引时的符号错误可能导致越界内存访问,如果访问了恶意站点,浏览器就可能意外终止或执行任意代码。 CVE-2008-2317 WebCore处理样式表单元时存在内存破坏漏洞,如果访问了恶意站点,浏览器就可能意外终止或执行任意代码。 CVE-2008-1590 JavaScriptCore处理运行时垃圾收集的方式存在内存破坏漏洞,如果访问了恶意站点,浏览器就可能意外终止或执行任意代码。 Apple iPhone 1.0 - 1.1.4 Apple iTouch 1.1 - 1.1.4 Apple ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.apple.com target=_blank>http://www.apple.com</a>
idSSV:3613
last seen2017-11-19
modified2008-07-14
published2008-07-14
reporterRoot
titleApple iPhone和iPod Touch 2.0版修复多个安全漏洞