Skypher · Safari arguments integer overflow PoC (CVE-2008-2303)

Safari arguments integer overflow PoC (CVE-2008-2303)

Posted by SkyLined on January 5th, 2009 in ASCII Art, Browsers, PoC and Safari · 1 Comment

CVE-2008-2303 covers an integer overflow in the handling of indices in the “arguments” array in Apple Safari that affects iPhone, iPod and PC (Mac and Windows). It was fixed in Safari 3.2 for iPhone and iPod in July and for PC in November.
More details here.
Repro here.

I have also created proof of concept code that shows potential exploitability and demonstrates how to use heap-spraying in Safari. AFAIK this is the first use of heap spraying in Safari, but I may be wrong. Heap spraying in Safari is not that different from other browsers, just backwards The code can be found here.

1 Comment to “Safari arguments integer overflow PoC (CVE-2008-2303)”

yourmom
2010/01/12

Please be advised – This heapspray code does not work very well on Safari. You end up with contiguous chunks of payload followed by very large chunks of zeros spread out across the memory. It appears that the size of the zero chunks are equal to the size of the payload chunks.. thus only a 50% chance of landing in the payload portion.

Leave a Comment