Vulnerabilities > CVE-2008-3950 - Numeric Errors vulnerability in Apple Iphone, Ipod Touch and Safari
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
Off-by-one error in the _web_drawInRect:withFont:ellipsis:alignment:measureOnly function in WebKit in Safari in Apple iPhone 1.1.4 and 2.0 and iPod touch 1.1.4 and 2.0 allows remote attackers to cause a denial of service (browser crash) via a JavaScript alert call with an argument that lacks breakable characters and has a length that is a multiple of the memory page size, leading to an out-of-bounds read.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Hardware | 4 | |
| Application | 1 |
Common Weakness Enumeration (CWE)
Exploit-Db
| description | Apple iPhone 1.1.4/2.0 and iPod 1.1.4/2.0 touch Safari WebKit 'alert()' Function Remote Denial of Service Vulnerability. CVE-2008-3950. Dos exploit for hardw... |
| id | EDB-ID:32341 |
| last seen | 2016-02-03 |
| modified | 2008-09-12 |
| published | 2008-09-12 |
| reporter | Nicolas Economou |
| source | https://www.exploit-db.com/download/32341/ |
| title | Apple iPhone 1.1.4/2.0 and iPod 1.1.4/2.0 touch Safari WebKit 'alert' Function Remote Denial of Service Vulnerability |
Seebug
| bulletinFamily | exploit |
| description | BUGTRAQ ID: 31061 CVE(CAN) ID: CVE-2008-3950 iPhone是苹果发布的智能手机。 Apple Safari是iPhone手机中默认使用的WEB浏览器。Safari所使用的WebKit库中存在安全漏洞,如果对alert() JavaScript方式注入了特殊字符串的话,越界内存读取可能触发访问破坏,导致Safari崩溃。 有漏洞的函数为_web_drawInRect:withFont:ellipsis:alignment:measureOnly: :NSString(WebStringDrawing),这是alert()方式在实现JavaScript时所使用的一个函数。alert()方式接收将要显示在屏幕上的字符串参数,如果这个字符串参数过大的话,库就会映射储存参数所需的内存。 在调用有漏洞的函数时,该函数会调用WebCore::nextBreakablePosition方式负责搜索可拆分的字符,如空格、“-”等,并返回所找到的第一个可拆分字符的位置。如果没有找到可拆分字符的话,就会返回字符串最后位置加1。例如,如果字符串大小为0x1000且没有找到可拆分字符,就会返回0x1000(位置从0开始计算)。 当_web_drawInRect:withFont:ellipsis:alignment:measureOnly函数接收到大小为4096倍数的超长字符串参数且字符串中不包含有可拆分字符,则将该参数传送给WebCore::nextBreakablePosition方式时会导致崩溃。一旦调用了这个方式,就会使用返回值访问超过所分配内存位置以外的可能位于非映射内存区的字符串位置。以下是出现这个漏洞的函数段: /----------- 31739CB4 MOV R1, R8 ; R1=string 31739CB8 MOV R2, R10 ; R10=string len 31739CBC MOV R3, R8 31739CC0 MOV R0, R4 31739CC4 BL WebCore::nextBreakablePosition(ushort const*,int,int,bool) 31739CC8 LDR R1, =0x1008 31739CCC MOV R3, R0,LSL#1 ; R0=returned position 31739CD0 MOV R5, R0 31739CD4 LDRH R0, [R4,R3] ; &lt;---- CRASH="" !!! 31739CD8 ADD R6, R4, R3 31739CDC BL _u_getIntPropertyValue 31739CE0 CMP R0, #0x1D 31739CE4 BHI loc_31739D1C - -----------/ Apple iPhone 2.0 Apple iPhone 1.1.4 Apple iTouch 2.0 Apple iTouch 1.1.4 Apple ----- 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: <a href=http://www.apple.com/support/downloads/ target=_blank>http://www.apple.com/support/downloads/</a> |
| id | SSV:4064 |
| last seen | 2017-11-19 |
| modified | 2008-09-17 |
| published | 2008-09-17 |
| reporter | Root |
| source | https://www.seebug.org/vuldb/ssvid-4064 |
| title | Apple iPhone Safari WebKit alert()函数远程拒绝服务漏洞 |