BACK

CREDIT

POC or EXPLOIT

REFERENCES


Knowledge In, Bullshit Out.

Summary

The vendor (Omni Group) provides the following description:

You're a Mac fan, right? When people ask you why you like the Mac, you probably think of the attention to detail that makes the Mac user experience superior. It's the sum of a lot of different things that add up to a system that's more powerful, more beautiful, and more fun.

What if you thought of a web browser in the same way? You use a web browser all the time, for working, for entertainment, for research; how cool would it be if every time you used it, you thought "Wow, this rules!"

Welcome to OmniWeb. OmniWeb elevates your web user experience to be more productive, more efficient, and more fun. You'll find information more quickly. You'll stay organized. You'll see the entire internet the way you choose. It's the browser that puts you in control.

Sure, you can use a standard web browser, with standard features. But you didn't choose a standard software experience - you chose the Mac. Why not try a browser built just for discriminating people with fabulous taste, like yourself?

...the only real reason to not make use of such a fabulous browser would be "bad code" ™. OmniWeb is affected by a format string vulnerability in the handling of Javascript alert() function, which could allow remote arbitrary code execution.

Affected versions

This issue has been verified in OmniWeb 5.5.1 (v607.5) running on Mac OS X 10.4.8 (8L2127).

Proof of concept, exploit or instructions to reproduce

The provided (trivial, note for zealots: not talking about issue severity here) proof of concept can be used to verify this issue.

Debugging information

The following debugging information corresponds to the results of running the provided POC in OmniWeb 5.5.1:

Attaching to program: `/Volumes/OmniWeb/OmniWeb.app/Contents/MacOS/OmniWeb', process 8379.
Reading symbols for shared libraries ...................++..++............
..............................++++++++.......++.... done
0x90009857 in mach_msg_trap ()
(gdb) c
Continuing.

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x90ab7a6c
0x9000c0c1 in __vfprintf ()
(gdb) i r
eax            0x90ab7a6c       -1867810196
ecx            0x0      0
edx            0x0      0
ebx            0x9000ad62       -1879003806
esp            0xbfffc620       0xbfffc620
ebp            0xbfffcd78       0xbfffcd78
esi            0xbfffdd6e       -1073750674
edi            0x25     37
eip            0x9000c0c1       0x9000c0c1 <__vfprintf+4976>
eflags         0x10286  66182
cs             0x17     23
ss             0x1f     31
ds             0x1f     31
es             0x1f     31
fs             0x0      0
gs             0x37     55
(gdb) back
#0  0x9000c0c1 in __vfprintf ()
#1  0x90100ea9 in snprintf_l ()
#2  0x908119d5 in _CFStringAppendFormatAndArgumentsAux ()
#3  0x9081091c in _CFStringCreateWithFormatAndArgumentsAux ()
#4  0x925daa5d in -[NSPlaceholderString initWithFormat:locale:arguments:] ()
#5  0x925fc670 in -[NSString initWithFormat:arguments:] ()
#6  0x9336056f in -[NSAlert buildAlertStyle:title:message:first:second:third:oldStyle:args:] ()
#7  0x934ac77a in _NXDoLocalRunAlertPanel ()
#8  0x934ac4cc in NSRunAlertPanel ()
#9  0x000b6a6e in -[OWTab(WebUIDelegate) webView:runJavaScriptAlertPanelWithMessage:] ()
#10 0x005ded54 in -[WebFrameBridge runJavaScriptAlertPanelWithMessage:] ()
#11 0x3454d295 in WebCore::MacFrame::runJavaScriptAlert ()
#12 0x3445aada in KJS::WindowFunc::callAsFunction ()
#13 0x34330186 in KJS::JSObject::call ()
#14 0x34323aee in KJS::FunctionCallResolveNode::evaluate ()
#15 0x3432765b in KJS::ExprStatementNode::execute ()
#16 0x3432a23c in KJS::SourceElementsNode::execute ()
#17 0x3432757d in KJS::BlockNode::execute ()
#18 0x3430ff4b in KJS::DeclaredFunctionImp::execute ()
#19 0x3430f9a4 in KJS::FunctionImp::callAsFunction ()
#20 0x34330186 in KJS::JSObject::call ()
#21 0x34323aee in KJS::FunctionCallResolveNode::evaluate ()
#22 0x3432765b in KJS::ExprStatementNode::execute ()
#23 0x3432a158 in KJS::SourceElementsNode::execute ()
#24 0x3432757d in KJS::BlockNode::execute ()
#25 0x3430ff4b in KJS::DeclaredFunctionImp::execute ()
#26 0x3430f9a4 in KJS::FunctionImp::callAsFunction ()
#27 0x34330186 in KJS::JSObject::call ()
#28 0x3442dc58 in KJS::JSAbstractEventListener::handleEvent ()
#29 0x345605a8 in WebCore::NodeImpl::handleLocalEvents ()
#30 0x34561b77 in WebCore::NodeImpl::dispatchGenericEvent ()
#31 0x34561dc8 in WebCore::NodeImpl::dispatchEvent ()
#32 0x345622da in WebCore::NodeImpl::dispatchMouseEvent ()
#33 0x3456268b in WebCore::NodeImpl::dispatchMouseEvent ()
#34 0x34550f8d in WebCore::FrameView::dispatchMouseEvent ()
#35 0x34551543 in WebCore::FrameView::viewportMouseReleaseEvent ()
#36 0x34542760 in WebCore::MacFrame::mouseUp ()
#37 0x0060627b in -[WebHTMLView mouseUp:] ()
#38 0x9334b42b in -[NSWindow sendEvent:] ()
#39 0x0004fe4e in -[OWBrowserWindow sendEvent:] ()
#40 0x9333d350 in -[NSApplication sendEvent:] ()
#41 0x003ce169 in -[OAApplication sendEvent:] ()
#42 0x93267dfe in -[NSApplication run] ()
#43 0x003ca6b7 in -[OAApplication run] ()
#44 0x9325bd2f in NSApplicationMain ()
#45 0x00010cca in main ()
			

Note that it's actually breaking WebKit, although Safari seems unaffected by this particular issue. See "Exploitation conditions" for other information related to exploitation techniques.

Notes

Exploitation conditions

Once again, stack NX is rendered useless and the dyld_stub overwrite technique can be used to abuse this issue on x86.

Workaround or temporary solution

Wait for a patch released for Omni Web or use an alternative browser such as Mozilla Firefox.