Hi folks,
today another very didactical 0day has been released. It affects Apple Safari window.parent.close() function.

Description:

The vulnerability is caused due to an error in the handling of parent windows and can result in a function call using an invalid pointer. This can be exploited to execute arbitrary code when a user e.g. visits a specially crafted web page and closes opened pop-up windows.The vulnerability is confirmed in Safari version 4.0.5 for Windows. Other versions may also be affected.

The Exploit (click for enlarge):

Exploit Hight lights

(1) The vulnerable Function:

(2) Buffer Preparation:


(3) Memory Inclusion

I believe this is another interesting example of pointer manipulation (or if you wanna see from the other side, Buffer Overflow ) vulnerability. I wrote this post to remember this example for my next class (Fall 2010).

One thought on “ window.parent.close() -> code execution. ”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.