Vulnerabilities > CVE-2008-2317 - Resource Management Errors vulnerability in Apple Safari
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
WebCore in Apple Safari does not properly perform garbage collection of JavaScript document elements, which allows remote attackers to execute arbitrary code or cause a denial of service (heap corruption and application crash) via a reference to the ownerNode property of a copied CSSStyleSheet object of a STYLE element, as originally demonstrated on Apple iPhone before 2.0 and iPod touch before 2.0, a different vulnerability than CVE-2008-1590.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Hardware | 8 | |
| OS | 5 | |
| Application | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family MacOS X Local Security Checks NASL id MACOSX_SAFARI3_2.NASL description The version of Apple Safari installed on the remote Mac OS X host is earlier than 3.2. As such, it is potentially affected by several issues : - A signedness issue in Safari last seen 2020-06-01 modified 2020-06-02 plugin id 34773 published 2008-11-14 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34773 title Mac OS X : Apple Safari < 3.2 code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(34773); script_version("1.16"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_cve_id( # "CVE-2005-2096", # "CVE-2008-1767", "CVE-2008-2303", "CVE-2008-2317", # "CVE-2008-2327", # "CVE-2008-2332", # "CVE-2008-3608", # "CVE-2008-3623", # "CVE-2008-3642", "CVE-2008-3644", "CVE-2008-4216" ); script_bugtraq_id(32291); script_name(english:"Mac OS X : Apple Safari < 3.2"); script_summary(english:"Check the Safari SourceVersion"); script_set_attribute(attribute:"synopsis", value: "The remote host contains a web browser that is affected by several issues."); script_set_attribute(attribute:"description", value: "The version of Apple Safari installed on the remote Mac OS X host is earlier than 3.2. As such, it is potentially affected by several issues : - A signedness issue in Safari's handling of JavaScript array indices could lead to a crash or arbitrary code execution. (CVE-2008-2303) - A memory corruption issue in WebCore's handling of style sheet elements could lead to a crash or arbitrary code execution. (CVE-2008-2317) - Disabling autocomplete on a form field may not prevent the data in the field from being stored in the browser page cache. (CVE-2008-3644) - WebKit's plug-in interface does not block plug-ins from launching local URLs, which could allow a remote attacker to launch local files in Safari and lead to the disclosure of sensitive information. (CVE-2008-4216)"); script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT3298"); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2008/Nov/msg00001.html"); script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/advisories/15730"); script_set_attribute(attribute:"solution", value:"Upgrade to Apple Safari 3.2 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(189, 200, 399); script_set_attribute(attribute:"plugin_publication_date", value:"2008/11/14"); script_set_attribute(attribute:"patch_publication_date", value:"2008/11/13"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:safari"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc."); script_dependencies("macosx_Safari31.nasl"); script_require_keys("Host/local_checks_enabled", "Host/uname", "Host/MacOSX/Version", "MacOSX/Safari/Installed"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); if (!get_kb_item("Host/local_checks_enabled")) exit(0, "Local checks are not enabled."); os = get_kb_item("Host/MacOSX/Version"); if (!os) audit(AUDIT_OS_NOT, "Mac OS X"); uname = get_kb_item_or_exit("Host/uname"); if (!egrep(pattern:"Darwin.* (8\.|9\.([0-4]\.|5\.0))", string:uname)) audit(AUDIT_OS_NOT, "Mac OS X 10.4 / 10.5"); get_kb_item_or_exit("MacOSX/Safari/Installed"); path = get_kb_item_or_exit("MacOSX/Safari/Path", exit_code:1); version = get_kb_item_or_exit("MacOSX/Safari/Version", exit_code:1); fixed_version = "3.2"; if (ver_compare(ver:version, fix:fixed_version, strict:FALSE) == -1) { if (report_verbosity > 0) { report = '\n Installed version : ' + version + '\n Fixed version : ' + fixed_version + '\n'; security_hole(port:0, extra:report); } else security_hole(0); } else audit(AUDIT_INST_VER_NOT_VULN, "Safari", version);NASL family Windows NASL id SAFARI_3_2.NASL description The version of Safari installed on the remote Windows host is earlier than 3.2. Such versions are potentially affected by several issues : - Safari includes a version of zlib that is affected by multiple vulnerabilities. (CVE-2005-2096) - A heap-based buffer overflow issue in the libxslt library could lead to a crash or arbitrary code execution. (CVE-2008-1767) - A signedness issue in Safari last seen 2020-06-01 modified 2020-06-02 plugin id 34772 published 2008-11-14 reporter This script is Copyright (C) 2008-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/34772 title Safari < 3.2 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(34772); script_version("1.14"); script_cvs_date("Date: 2018/07/27 18:38:15"); script_cve_id( "CVE-2005-2096", "CVE-2008-1767", "CVE-2008-2303", "CVE-2008-2317", "CVE-2008-2327", "CVE-2008-2332", "CVE-2008-3608", "CVE-2008-3623", "CVE-2008-3642", "CVE-2008-3644", "CVE-2008-4216" ); script_bugtraq_id(14162, 29312, 30832, 32291); script_name(english:"Safari < 3.2 Multiple Vulnerabilities"); script_summary(english:"Checks version number of Safari"); script_set_attribute(attribute:"synopsis", value: "The remote host contains a web browser that is affected by several issues." ); script_set_attribute(attribute:"description", value: "The version of Safari installed on the remote Windows host is earlier than 3.2. Such versions are potentially affected by several issues : - Safari includes a version of zlib that is affected by multiple vulnerabilities. (CVE-2005-2096) - A heap-based buffer overflow issue in the libxslt library could lead to a crash or arbitrary code execution. (CVE-2008-1767) - A signedness issue in Safari's handling of JavaScript array indices could lead to a crash or arbitrary code execution. (CVE-2008-2303) - A memory corruption issue in WebCore's handling of style sheet elements could lead to a crash or arbitrary code execution. (CVE-2008-2317) - Multiple uninitialized memory access issues in libTIFF's handling of LZW-encoded TIFF images could lead to a crash or arbitrary code execution. (CVE-2008-2327) - A memory corruption issue in ImageIO's handling of TIFF images could lead to a crash or arbitrary code execution. (CVE-2008-2332). - A memory corruption issue in ImageIO's handling of embedded ICC profiles in JPEG images could lead to a crash or arbitrary code execution. (CVE-2008-3608) - A heap-based buffer overflow in CoreGraphics' handling of color spaces could lead to a crash or arbitrary code execution. (CVE-2008-3623) - A buffer overflow in the handling of images with an embedded ICC profile could lead to a crash or arbitrary code execution. (CVE-2008-3642) - Disabling autocomplete on a form field may not prevent the data in the field from being stored in the browser page cache. (CVE-2008-3644) - WebKit's plug-in interface does not block plug-ins from launching local URLs, which could allow a remote attacker to launch local files in Safari and lead to the disclosure of sensitive information. (CVE-2008-4216)" ); script_set_attribute(attribute:"see_also", value:"http://support.apple.com/kb/HT3298" ); script_set_attribute(attribute:"see_also", value:"http://lists.apple.com/archives/security-announce/2008/Nov/msg00001.html" ); script_set_attribute(attribute:"see_also", value:"http://www.securityfocus.com/advisories/15730" ); script_set_attribute(attribute:"solution", value:"Upgrade to Safari 3.2 or later." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'CANVAS'); script_cwe_id(119, 189, 200, 399); script_set_attribute(attribute:"plugin_publication_date", value: "2008/11/14"); script_set_attribute(attribute:"vuln_publication_date", value: "2005/07/07"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/a:apple:safari"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Windows"); script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc."); script_dependencies("safari_installed.nasl"); script_require_keys("SMB/Safari/FileVersion"); exit(0); } include("global_settings.inc"); ver = get_kb_item("SMB/Safari/FileVersion"); if (isnull(ver)) exit(0); iver = split(ver, sep:'.', keep:FALSE); for (i=0; i<max_index(iver); i++) iver[i] = int(iver[i]); if ( iver[0] < 3 || ( iver[0] == 3 && ( iver[1] < 525 || ( iver[1] == 525 && ( iver[2] < 26 || (iver[2] == 26 && iver[3] < 13) ) ) ) ) ) { if (report_verbosity) { prod_ver = get_kb_item("SMB/Safari/ProductVersion"); if (!isnull(prod_ver)) ver = prod_ver; report = string( "\n", "Safari version ", ver, " is currently installed on the remote host.\n" ); security_hole(port:get_kb_item("SMB/transport"), extra:report); } else security_hole(get_kb_item("SMB/transport")); }
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 30186 CVE(CAN) ID: CVE-2008-1588,CVE-2008-1589,CVE-2008-2303,CVE-2008-2317,CVE-2008-1590 iPod touch(也被称为iTouch)是苹果公司发布的MP4播放器,iPhone是其发布的智能手机。 iPhone和iPod Touch都内嵌了Safari浏览器,远程攻击者可以利用该浏览器中的多个安全漏洞导致拒绝服务、读取敏感信息或执行任意代码。 CVE-2008-1588 Safari在地址栏中显示当前URL时会呈现Unicode表意空间,这允许恶意站点将用户引导到看起来类似于合法域的欺骗站点。 CVE-2008-1589 当Safari访问了使用自签名或无效证书的站点时,会提示用户接受或拒绝证书。如果用户在提示时按下了菜单键,则在下一次访问该站点就会未经提示便接受该证书,这可能导致泄露敏感信息。 CVE-2008-2303 Safari处理JavaScript数组索引时的符号错误可能导致越界内存访问,如果访问了恶意站点,浏览器就可能意外终止或执行任意代码。 CVE-2008-2317 WebCore处理样式表单元时存在内存破坏漏洞,如果访问了恶意站点,浏览器就可能意外终止或执行任意代码。 CVE-2008-1590 JavaScriptCore处理运行时垃圾收集的方式存在内存破坏漏洞,如果访问了恶意站点,浏览器就可能意外终止或执行任意代码。 Apple iPhone 1.0 - 1.1.4 Apple iTouch 1.1 - 1.1.4 Apple ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.apple.com target=_blank>http://www.apple.com</a> |
| id | SSV:3613 |
| last seen | 2017-11-19 |
| modified | 2008-07-14 |
| published | 2008-07-14 |
| reporter | Root |
| title | Apple iPhone和iPod Touch 2.0版修复多个安全漏洞 |
References
- http://lists.apple.com/archives/security-announce/2008//Jul/msg00001.html
- http://www.securityfocus.com/bid/30186
- http://www.zerodayinitiative.com/advisories/ZDI-08-045/
- http://secunia.com/advisories/31074
- http://lists.apple.com/archives/security-announce//2008/Nov/msg00001.html
- http://support.apple.com/kb/HT3298
- http://www.vupen.com/english/advisories/2008/2094/references
- http://secunia.com/advisories/32706
- https://exchange.xforce.ibmcloud.com/vulnerabilities/43737
- http://www.securityfocus.com/archive/1/494777/100/0/threaded