window.parent.close() -> code execution.

Hi folks,
today another very didactical 0day has been released. It affects Apple Safari window.parent.close() function.


The vulnerability is caused due to an error in the handling of parent windows and can result in a function call using an invalid pointer. This can be exploited to execute arbitrary code when a user e.g. visits a specially crafted web page and closes opened pop-up windows.The vulnerability is confirmed in Safari version 4.0.5 for Windows. Other versions may also be affected.

The Exploit (click for enlarge):

Exploit Hight lights

(1) The vulnerable Function:

(2) Buffer Preparation:

(3) Memory Inclusion

I believe this is another interesting example of pointer manipulation (or if you wanna see from the other side, Buffer Overflow ) vulnerability. I wrote this post to remember this example for my next class (Fall 2010).