Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15621
HistoryJan 08, 2007 - 12:00 a.m.

MOAB-07-01-2007: OmniWeb Javascript alert() Format String Vulnerability

2007-01-0800:00:00
vulners.com
9
JSON

Summary

The vendor (Omni Group) provides the following description:

You're a Mac fan, right? When people ask you why you like the Mac, you probably think of the attention to detail that makes the Mac user experience superior. It's the sum of a lot of different things that add up to a system that's more powerful, more beautiful, and more fun.

What if you thought of a web browser in the same way? You use a web browser all the time, for working, for entertainment, for research; how cool would it be if every time you used it, you thought "Wow, this rules!"

Welcome to OmniWeb. OmniWeb elevates your web user experience to be more productive, more efficient, and more fun. You'll find information more quickly. You'll stay organized. You'll see the entire internet the way you choose. It's the browser that puts you in control.

Sure, you can use a standard web browser, with standard features. But you didn't choose a standard software experience - you chose the Mac. Why not try a browser built just for discriminating people with fabulous taste, like yourself?

…the only real reason to not make use of such a fabulous browser would be "bad code" ™. OmniWeb is affected by a format string vulnerability in the handling of Javascript alert() function, which could allow remote arbitrary code execution.
Affected versions

This issue has been verified in OmniWeb 5.5.1 (v607.5) running on Mac OS X 10.4.8 (8L2127).
Proof of concept, exploit or instructions to reproduce

The provided (trivial, note for zealots: not talking about issue severity here) proof of concept can be used to verify this issue.
Debugging information

The following debugging information corresponds to the results of running the provided POC in OmniWeb 5.5.1:

Attaching to program: `/Volumes/OmniWeb/OmniWeb.app/Contents/MacOS/OmniWeb', process 8379.
Reading symbols for shared libraries …++…++…
…++++++++…++… done
0x90009857 in mach_msg_trap ()
(gdb) c
Continuing.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x90ab7a6c
0x9000c0c1 in __vfprintf ()
(gdb) i r
eax 0x90ab7a6c -1867810196
ecx 0x0 0
edx 0x0 0
ebx 0x9000ad62 -1879003806
esp 0xbfffc620 0xbfffc620
ebp 0xbfffcd78 0xbfffcd78
esi 0xbfffdd6e -1073750674
edi 0x25 37
eip 0x9000c0c1 0x9000c0c1 <__vfprintf+4976>
eflags 0x10286 66182
cs 0x17 23
ss 0x1f 31
ds 0x1f 31
es 0x1f 31
fs 0x0 0
gs 0x37 55
(gdb) back
#0 0x9000c0c1 in __vfprintf ()
#1 0x90100ea9 in snprintf_l ()
#2 0x908119d5 in _CFStringAppendFormatAndArgumentsAux ()
#3 0x9081091c in _CFStringCreateWithFormatAndArgumentsAux ()
#4 0x925daa5d in -[NSPlaceholderString initWithFormat:locale:arguments:] ()
#5 0x925fc670 in -[NSString initWithFormat:arguments:] ()
#6 0x9336056f in -[NSAlert buildAlertStyle:title:message:first:second:third:oldStyle:args:] ()
#7 0x934ac77a in _NXDoLocalRunAlertPanel ()
#8 0x934ac4cc in NSRunAlertPanel ()
#9 0x000b6a6e in -[OWTab(WebUIDelegate) webView:runJavaScriptAlertPanelWithMessage:] ()
#10 0x005ded54 in -[WebFrameBridge runJavaScriptAlertPanelWithMessage:] ()
#11 0x3454d295 in WebCore::MacFrame::runJavaScriptAlert ()
#12 0x3445aada in KJS::WindowFunc::callAsFunction ()
#13 0x34330186 in KJS::JSObject::call ()
#14 0x34323aee in KJS::FunctionCallResolveNode::evaluate ()
#15 0x3432765b in KJS::ExprStatementNode::execute ()
#16 0x3432a23c in KJS::SourceElementsNode::execute ()
#17 0x3432757d in KJS::BlockNode::execute ()
#18 0x3430ff4b in KJS::DeclaredFunctionImp::execute ()
#19 0x3430f9a4 in KJS::FunctionImp::callAsFunction ()
#20 0x34330186 in KJS::JSObject::call ()
#21 0x34323aee in KJS::FunctionCallResolveNode::evaluate ()
#22 0x3432765b in KJS::ExprStatementNode::execute ()
#23 0x3432a158 in KJS::SourceElementsNode::execute ()
#24 0x3432757d in KJS::BlockNode::execute ()
#25 0x3430ff4b in KJS::DeclaredFunctionImp::execute ()
#26 0x3430f9a4 in KJS::FunctionImp::callAsFunction ()
#27 0x34330186 in KJS::JSObject::call ()
#28 0x3442dc58 in KJS::JSAbstractEventListener::handleEvent ()
#29 0x345605a8 in WebCore::NodeImpl::handleLocalEvents ()
#30 0x34561b77 in WebCore::NodeImpl::dispatchGenericEvent ()
#31 0x34561dc8 in WebCore::NodeImpl::dispatchEvent ()
#32 0x345622da in WebCore::NodeImpl::dispatchMouseEvent ()
#33 0x3456268b in WebCore::NodeImpl::dispatchMouseEvent ()
#34 0x34550f8d in WebCore::FrameView::dispatchMouseEvent ()
#35 0x34551543 in WebCore::FrameView::viewportMouseReleaseEvent ()
#36 0x34542760 in WebCore::MacFrame::mouseUp ()
#37 0x0060627b in -[WebHTMLView mouseUp:] ()
#38 0x9334b42b in -[NSWindow sendEvent:] ()
#39 0x0004fe4e in -[OWBrowserWindow sendEvent:] ()
#40 0x9333d350 in -[NSApplication sendEvent:] ()
#41 0x003ce169 in -[OAApplication sendEvent:] ()
#42 0x93267dfe in -[NSApplication run] ()
#43 0x003ca6b7 in -[OAApplication run] ()
#44 0x9325bd2f in NSApplicationMain ()
#45 0x00010cca in main ()

Note that it's actually breaking WebKit, although Safari seems unaffected by this particular issue. See "Exploitation conditions" for other information related to exploitation techniques.
Notes
Exploitation conditions

Once again, stack NX is rendered useless and the dyld_stub overwrite technique can be used to abuse this issue on x86.
Workaround or temporary solution

Wait for a patch released for Omni Web or use an alternative browser such as Mozilla Firefox.

JSON