<div><span style="font-family:'Lucida Grande';font-size:12px"><pre style="margin-top:0em;margin-right:0em;margin-bottom:0em;margin-left:0em"><span class="Apple-style-span" style="font-family: 'courier new', monospace;">CVE-2008-2303 covers an integer overflow in the handling of indices in the "arguments" array in Apple Safari that affects iPhone, iPod and PC (Mac and Windows). It was fixed in Safari 3.2 for iPhone and iPod in July and for PC in November. More details here: </span><span class="Apple-style-span" style="font-size: 13px; white-space: normal; "><a href="http://support.apple.com/kb/HT3298" target="_blank"><span class="Apple-style-span" style="font-family: 'courier new', monospace;">http://support.apple.</span><span class="Apple-style-span" style="font-family: 'courier new', monospace;">com/kb/HT3298</span></a></span></pre>
<pre style="margin-top:0em;margin-right:0em;margin-bottom:0em;margin-left:0em"><span class="Apple-style-span" style="font-size: 13px; white-space: normal; "><div><span class="Apple-style-span" style="font-family: 'courier new', monospace;"><br>
</span></div><div><span class="Apple-style-span" style="font-family: 'courier new', monospace;">Simple repro:</span></div><div><span class="Apple-style-span" style="font-family: 'courier new', monospace;"><a href="goog_1231173753359">http://</a><a href="goog_1231173753359">skypher</a><a href="goog_1231173753359">.com/</a><a href="goog_1231173753359">SkyLined</a><a href="goog_1231173753359">/</a><a href="goog_1231173753359">Repro</a><a href="goog_1231173753359">/Safari/arguments%5B0x800000000%5D/</a><a href="goog_1231173753359">repro</a><a href="goog_1231173753359">.html</a></span><span class="Apple-style-span" style="font-family: 'courier new', monospace;"> <br>
</span></div><div><span class="Apple-style-span" style="font-family: 'courier new', monospace;"><br></span></div></span></pre><pre style="margin-top:0em;margin-right:0em;margin-bottom:0em;margin-left:0em"><span class="Apple-style-span" style="font-family: 'courier new', monospace;">I have also created proof of concept code that shows potential exploitability and demonstrates how to use heap-spraying in Safari. AFAIK this is the first use of heap spraying in Safari, but I may be wrong. Heap spraying in Safari is not that different from other browsers, just backwards ;)</span></pre>
<pre style="margin-top:0em;margin-right:0em;margin-bottom:0em;margin-left:0em"><a href="http://skypher.com/SkyLined/Repro/Safari/arguments%5B0x800000000%5D/poc.html"><span class="Apple-style-span" style="font-family: 'courier new', monospace;">http://skypher.com/SkyLined/Repro/Safari/arguments%5B0x800000000%5D/poc.html</span></a><span class="Apple-style-span" style="font-family: 'courier new', monospace;"><br>
</span></pre><span class="Apple-style-span" style="font-family: arial; font-size: 13px; "><div><span style="font-family: 'Lucida Grande'; font-size: 12px; "><pre style="margin-top: 0em; margin-right: 0em; margin-bottom: 0em; margin-left: 0em; ">
<span class="Apple-style-span" style="font-family: 'courier new'; ">No, script-kiddies, it is not a working "insert download and execute code here" exploit - v<span class="Apple-style-span" style="font-family: -webkit-monospace; ">iew source for the win!!</span></span></pre>
</span></div></span><pre style="margin-top:0em;margin-right:0em;margin-bottom:0em;margin-left:0em"><br></pre><pre style="margin-top: 0em; margin-right: 0em; margin-bottom: 0em; margin-left: 0em; ">I have created a list of software vulnerabilities, including previously unreleased material, on my website:</pre>
<pre style="margin-top: 0em; margin-right: 0em; margin-bottom: 0em; margin-left: 0em; "><a href="http://skypher.com/wiki/index.php?title=List_of_software_vulnerabilities">http://skypher.com/wiki/index.php?title=List_of_software_vulnerabilities</a><br>
</pre><pre style="margin-top: 0em; margin-right: 0em; margin-bottom: 0em; margin-left: 0em; "><br></pre><pre style="margin-top:0em;margin-right:0em;margin-bottom:0em;margin-left:0em"><span class="Apple-style-span" style="font-family: 'courier new'; ">Cheers,</span><br>
</pre><pre style="margin-top:0em;margin-right:0em;margin-bottom:0em;margin-left:0em"><span class="Apple-style-span" style="font-family: 'courier new', monospace;"><br></span></pre><pre style="margin-top:0em;margin-right:0em;margin-bottom:0em;margin-left:0em">
<span class="Apple-style-span" style="font-family: 'courier new', monospace;">SkyLined</span></pre></span></div><div><br></div><div>--------------------------------------------------------------------------------------------------------<br>
</div>
Berend-Jan Wever <<a href="mailto:berendjanwever@gmail.com" target="_blank">berendjanwever@gmail.com</a>> <a href="http://skypher.com" target="_blank">http://skypher.com</a><br><br>