ID CVE-2011-1344
Summary Use-after-free vulnerability in WebKit, as used in Apple Safari before 5.0.5; iOS before 4.3.2 for iPhone, iPod, and iPad; iOS before 4.2.7 for iPhone 4 (CDMA); and possibly other products allows remote attackers to execute arbitrary code by adding children to a WBR tag and then removing the tag, related to text nodes, as demonstrated by Chaouki Bekrar during a Pwn2Own competition at CanSecWest 2011.
References
Vulnerable Configurations
  • Apple Safari 1.0
    cpe:2.3:a:apple:safari:1.0
  • Apple Safari 1.0 Beta
    cpe:2.3:a:apple:safari:1.0:beta
  • Apple Safari 1.0 Beta2
    cpe:2.3:a:apple:safari:1.0:beta2
  • Apple Safari 1.0.0
    cpe:2.3:a:apple:safari:1.0.0
  • Apple Safari 1.0.0b1
    cpe:2.3:a:apple:safari:1.0.0b1
  • Apple Safari 1.0.0b2
    cpe:2.3:a:apple:safari:1.0.0b2
  • Apple Safari 1.0.1
    cpe:2.3:a:apple:safari:1.0.1
  • Apple Safari 1.0.2
    cpe:2.3:a:apple:safari:1.0.2
  • Apple Safari 1.0.3
    cpe:2.3:a:apple:safari:1.0.3
  • Apple Safari 1.0.3 85.8
    cpe:2.3:a:apple:safari:1.0.3:85.8
  • Apple Safari 1.0.3 85.8.1
    cpe:2.3:a:apple:safari:1.0.3:85.8.1
  • Apple Safari 1.1
    cpe:2.3:a:apple:safari:1.1
  • Apple Safari 1.1.0
    cpe:2.3:a:apple:safari:1.1.0
  • Apple Safari 1.1.1
    cpe:2.3:a:apple:safari:1.1.1
  • Apple Safari 1.2
    cpe:2.3:a:apple:safari:1.2
  • Apple Safari 1.2.0
    cpe:2.3:a:apple:safari:1.2.0
  • Apple Safari 1.2.1
    cpe:2.3:a:apple:safari:1.2.1
  • Apple Safari 1.2.2
    cpe:2.3:a:apple:safari:1.2.2
  • Apple Safari 1.2.3
    cpe:2.3:a:apple:safari:1.2.3
  • Apple Safari 1.2.4
    cpe:2.3:a:apple:safari:1.2.4
  • Apple Safari 1.2.5
    cpe:2.3:a:apple:safari:1.2.5
  • Apple Safari 1.3
    cpe:2.3:a:apple:safari:1.3
  • Apple Safari 1.3.0
    cpe:2.3:a:apple:safari:1.3.0
  • Apple Safari 1.3.1
    cpe:2.3:a:apple:safari:1.3.1
  • Apple Safari 1.3.2
    cpe:2.3:a:apple:safari:1.3.2
  • Apple Safari 1.3.2 312.5
    cpe:2.3:a:apple:safari:1.3.2:312.5
  • Apple Safari 1.3.2 312.6
    cpe:2.3:a:apple:safari:1.3.2:312.6
  • Apple Safari 2
    cpe:2.3:a:apple:safari:2
  • Apple Safari 2.0
    cpe:2.3:a:apple:safari:2.0
  • Apple Safari 2.0.0
    cpe:2.3:a:apple:safari:2.0.0
  • Apple Safari 2.0.1
    cpe:2.3:a:apple:safari:2.0.1
  • Apple Safari 2.0.2
    cpe:2.3:a:apple:safari:2.0.2
  • Apple Safari 2.0.3
    cpe:2.3:a:apple:safari:2.0.3
  • Apple Safari 2.0.3 417.8
    cpe:2.3:a:apple:safari:2.0.3:417.8
  • Apple Safari 2.0.3 417.9
    cpe:2.3:a:apple:safari:2.0.3:417.9
  • Apple Safari 2.0.3 417.9.2
    cpe:2.3:a:apple:safari:2.0.3:417.9.2
  • Apple Safari 2.0.3 417.9.3
    cpe:2.3:a:apple:safari:2.0.3:417.9.3
  • Apple Safari 2.0.4
    cpe:2.3:a:apple:safari:2.0.4
  • Apple Safari 3
    cpe:2.3:a:apple:safari:3
  • Apple Safari 3.0
    cpe:2.3:a:apple:safari:3.0
  • Apple Safari 3.0.0
    cpe:2.3:a:apple:safari:3.0.0
  • Apple Safari 3.0.0b
    cpe:2.3:a:apple:safari:3.0.0b
  • Apple Safari 3.0.1
    cpe:2.3:a:apple:safari:3.0.1
  • Apple Safari 3.0.1b
    cpe:2.3:a:apple:safari:3.0.1b
  • Apple Safari 3.0.2
    cpe:2.3:a:apple:safari:3.0.2
  • Apple Safari 3.0.2b
    cpe:2.3:a:apple:safari:3.0.2b
  • Apple Safari 3.0.3
    cpe:2.3:a:apple:safari:3.0.3
  • Apple Safari 3.0.3b
    cpe:2.3:a:apple:safari:3.0.3b
  • Apple Safari 3.0.4
    cpe:2.3:a:apple:safari:3.0.4
  • Apple Safari 3.0.4b
    cpe:2.3:a:apple:safari:3.0.4b
  • Apple Safari 3.1.0
    cpe:2.3:a:apple:safari:3.1.0
  • Apple Safari 3.1.0b
    cpe:2.3:a:apple:safari:3.1.0b
  • Apple Safari 3.1.1
    cpe:2.3:a:apple:safari:3.1.1
  • Apple Safari 3.1.2
    cpe:2.3:a:apple:safari:3.1.2
  • Apple Safari 3.2.0
    cpe:2.3:a:apple:safari:3.2.0
  • Apple Safari 3.2.1
    cpe:2.3:a:apple:safari:3.2.1
  • Apple Safari 3.2.2
    cpe:2.3:a:apple:safari:3.2.2
  • Apple Safari 4.0
    cpe:2.3:a:apple:safari:4.0
  • Apple Safari 4 Beta
    cpe:2.3:a:apple:safari:4.0:beta
  • Apple Safari 4.0.0b
    cpe:2.3:a:apple:safari:4.0.0b
  • Apple Safari 4.0.1
    cpe:2.3:a:apple:safari:4.0.1
  • Apple Safari 4.0.2
    cpe:2.3:a:apple:safari:4.0.2
  • Apple Safari 4.0.3
    cpe:2.3:a:apple:safari:4.0.3
  • Apple Safari 4.0.4
    cpe:2.3:a:apple:safari:4.0.4
  • Apple Safari 4.0.5
    cpe:2.3:a:apple:safari:4.0.5
  • Apple Safari 4.1
    cpe:2.3:a:apple:safari:4.1
  • Apple Safari 4.1.1
    cpe:2.3:a:apple:safari:4.1.1
  • Apple Safari 4.1.2
    cpe:2.3:a:apple:safari:4.1.2
  • Apple Safari 5.0
    cpe:2.3:a:apple:safari:5.0
  • Apple Safari 5.0.1
    cpe:2.3:a:apple:safari:5.0.1
  • Apple Safari 5.0.2
    cpe:2.3:a:apple:safari:5.0.2
  • Apple Safari 5.0.4
    cpe:2.3:a:apple:safari:5.0.4
  • Apple iPhone OS 1.0.0
    cpe:2.3:o:apple:iphone_os:1.0.0
  • Apple iPhone OS 1.0.1
    cpe:2.3:o:apple:iphone_os:1.0.1
  • Apple iPhone OS 1.0.2
    cpe:2.3:o:apple:iphone_os:1.0.2
  • Apple iPhone OS 1.1.0
    cpe:2.3:o:apple:iphone_os:1.1.0
  • Apple iPhone OS 1.1.1
    cpe:2.3:o:apple:iphone_os:1.1.1
  • Apple iPhone OS 1.1.2
    cpe:2.3:o:apple:iphone_os:1.1.2
  • Apple iPhone OS 1.1.3
    cpe:2.3:o:apple:iphone_os:1.1.3
  • Apple iPhone OS 1.1.4
    cpe:2.3:o:apple:iphone_os:1.1.4
  • Apple iPhone OS 1.1.5
    cpe:2.3:o:apple:iphone_os:1.1.5
  • Apple iPhone OS 2.0
    cpe:2.3:o:apple:iphone_os:2.0
  • Apple iPhone OS 2.0.0
    cpe:2.3:o:apple:iphone_os:2.0.0
  • Apple iPhone OS 2.0.1
    cpe:2.3:o:apple:iphone_os:2.0.1
  • Apple iPhone OS 2.0.2
    cpe:2.3:o:apple:iphone_os:2.0.2
  • Apple iPhone OS 2.1
    cpe:2.3:o:apple:iphone_os:2.1
  • Apple iPhone OS 2.1.1
    cpe:2.3:o:apple:iphone_os:2.1.1
  • Apple iPhone OS 2.2
    cpe:2.3:o:apple:iphone_os:2.2
  • Apple iPhone OS 2.2.1
    cpe:2.3:o:apple:iphone_os:2.2.1
  • Apple iPhone OS 3.0
    cpe:2.3:o:apple:iphone_os:3.0
  • Apple iPhone OS 3.0.1
    cpe:2.3:o:apple:iphone_os:3.0.1
  • Apple iPhone OS 3.1
    cpe:2.3:o:apple:iphone_os:3.1
  • Apple iPhone OS 3.1.2
    cpe:2.3:o:apple:iphone_os:3.1.2
  • Apple iPhone OS 3.1.3
    cpe:2.3:o:apple:iphone_os:3.1.3
  • Apple iPhone OS 3.2
    cpe:2.3:o:apple:iphone_os:3.2
  • Apple iPhone OS 3.2.1
    cpe:2.3:o:apple:iphone_os:3.2.1
  • Apple iPhone OS 4.0
    cpe:2.3:o:apple:iphone_os:4.0
  • Apple iPhone OS 4.0.1
    cpe:2.3:o:apple:iphone_os:4.0.1
  • Apple iPhone OS 4.0.2
    cpe:2.3:o:apple:iphone_os:4.0.2
  • Apple iPhone OS 4.1
    cpe:2.3:o:apple:iphone_os:4.1
  • cpe:2.3:o:apple:iphone_os:4.2
    cpe:2.3:o:apple:iphone_os:4.2
  • Apple iPhone OS 4.2.1
    cpe:2.3:o:apple:iphone_os:4.2.1
  • Apple iPhone OS 4.2.5
    cpe:2.3:o:apple:iphone_os:4.2.5
  • Apple iPhone OS 4.2.8
    cpe:2.3:o:apple:iphone_os:4.2.8
  • Apple iPhone OS 4.3.0
    cpe:2.3:o:apple:iphone_os:4.3.0
  • Apple iPhone OS 4.3.1
    cpe:2.3:o:apple:iphone_os:4.3.1
  • Apple iPad
    cpe:2.3:h:apple:ipad
  • Apple iPhone
    cpe:2.3:h:apple:iphone
  • Apple iPod Touch
    cpe:2.3:h:apple:ipod_touch
  • Apple iPhone OS 1.0.0
    cpe:2.3:o:apple:iphone_os:1.0.0
  • Apple iPhone OS 1.0.1
    cpe:2.3:o:apple:iphone_os:1.0.1
  • Apple iPhone OS 1.0.2
    cpe:2.3:o:apple:iphone_os:1.0.2
  • Apple iPhone OS 1.1.0
    cpe:2.3:o:apple:iphone_os:1.1.0
  • Apple iPhone OS 1.1.1
    cpe:2.3:o:apple:iphone_os:1.1.1
  • Apple iPhone OS 1.1.2
    cpe:2.3:o:apple:iphone_os:1.1.2
  • Apple iPhone OS 1.1.3
    cpe:2.3:o:apple:iphone_os:1.1.3
  • Apple iPhone OS 1.1.4
    cpe:2.3:o:apple:iphone_os:1.1.4
  • Apple iPhone OS 1.1.5
    cpe:2.3:o:apple:iphone_os:1.1.5
  • Apple iPhone OS 2.0
    cpe:2.3:o:apple:iphone_os:2.0
  • Apple iPhone OS 2.0.0
    cpe:2.3:o:apple:iphone_os:2.0.0
  • Apple iPhone OS 2.0.1
    cpe:2.3:o:apple:iphone_os:2.0.1
  • Apple iPhone OS 2.0.2
    cpe:2.3:o:apple:iphone_os:2.0.2
  • Apple iPhone OS 2.1
    cpe:2.3:o:apple:iphone_os:2.1
  • Apple iPhone OS 2.1.1
    cpe:2.3:o:apple:iphone_os:2.1.1
  • Apple iPhone OS 2.2
    cpe:2.3:o:apple:iphone_os:2.2
  • Apple iPhone OS 2.2.1
    cpe:2.3:o:apple:iphone_os:2.2.1
  • Apple iPhone OS 3.0
    cpe:2.3:o:apple:iphone_os:3.0
  • Apple iPhone OS 3.0.1
    cpe:2.3:o:apple:iphone_os:3.0.1
  • Apple iPhone OS 3.1
    cpe:2.3:o:apple:iphone_os:3.1
  • Apple iPhone OS 3.1.2
    cpe:2.3:o:apple:iphone_os:3.1.2
  • Apple iPhone OS 3.1.3
    cpe:2.3:o:apple:iphone_os:3.1.3
  • Apple iPhone OS 3.2
    cpe:2.3:o:apple:iphone_os:3.2
  • Apple iPhone OS 3.2.1
    cpe:2.3:o:apple:iphone_os:3.2.1
  • Apple iPhone OS 3.2.2
    cpe:2.3:o:apple:iphone_os:3.2.2
  • Apple iPhone OS 4.0
    cpe:2.3:o:apple:iphone_os:4.0
  • Apple iPhone OS 4.0.1
    cpe:2.3:o:apple:iphone_os:4.0.1
  • Apple iPhone OS 4.0.2
    cpe:2.3:o:apple:iphone_os:4.0.2
  • Apple iPhone OS 4.1
    cpe:2.3:o:apple:iphone_os:4.1
  • cpe:2.3:o:apple:iphone_os:4.2
    cpe:2.3:o:apple:iphone_os:4.2
  • Apple iPhone OS 4.2.1
    cpe:2.3:o:apple:iphone_os:4.2.1
  • Apple iPhone OS 4.2.5
    cpe:2.3:o:apple:iphone_os:4.2.5
  • cpe:2.3:h:apple:iphone:4
    cpe:2.3:h:apple:iphone:4
CVSS
Base: 6.8 (as of 11-03-2011 - 08:21)
Impact:
Exploitability:
CWE CWE-399
CAPEC
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family Peer-To-Peer File Sharing
    NASL id ITUNES_10_2_2_BANNER.NASL
    description The version of Apple iTunes on the remote host is prior to version 10.2.2. It is, therefore, affected by multiple vulnerabilities in the WebKit component : - An integer overflow vulnerability exists in the handling of nodesets that can be exploited by a remote attacker to execute arbitrary code. (CVE-2011-1290) - A use-after-free vulnerability exists in the handling of text nodes that can be exploited by a remote attacker to execute arbitrary code. (CVE-2011-1344) Note that these only affect WebKit for Windows.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 53489
    published 2011-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53489
    title Apple iTunes < 10.2.2 Multiple Vulnerabilities (uncredentialed check)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_LIBWEBKIT-121201.NASL
    description Two issues in libwebkit have been fixed : - Webkit CSS Text Element Count remote code execution was fixed. (CVE-2011-1290) - WebKit WBR Tag Removal remote code execution was fixed. (CVE-2011-1344)
    last seen 2019-02-21
    modified 2013-10-25
    plugin id 64202
    published 2013-01-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64202
    title SuSE 11.2 Security Update : libwebkit (SAT Patch Number 7114)
  • NASL family Windows
    NASL id SAFARI_5_0_5.NASL
    description The version of Safari installed on the remote Windows host is earlier than 5.0.5. It therefore is potentially affected by several issues : - An integer overflow issue in the handling of nodesets could lead to a crash or arbitrary code execution. (CVE-2011-1290) - A use-after-free issue in the handling of text nodes could lead to a crash or arbitrary code execution. (CVE-2011-1344)
    last seen 2019-02-21
    modified 2018-07-27
    plugin id 53411
    published 2011-04-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53411
    title Safari < 5.0.5 Multiple Vulnerabilities
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SAFARI5_0_5.NASL
    description The version of Apple Safari installed on the remote Mac OS X host is earlier than 5.0.5. As such, it is potentially affected by several issues : - An integer overflow issue in the handling of nodesets could lead to a crash or arbitrary code execution. (CVE-2011-1290) - A use-after-free issue in the handling of text nodes could lead to a crash or arbitrary code execution. (CVE-2011-1344)
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 53410
    published 2011-04-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53410
    title Mac OS X : Apple Safari < 5.0.5
  • NASL family Windows
    NASL id ITUNES_10_2_2.NASL
    description The version of Apple iTunes installed on the remote Windows host is older than 10.2.2. As such, it is potentially affected by several issues : - An integer overflow issue in the handling of nodesets could lead to a crash or arbitrary code execution. (CVE-2011-1290) - A use after free issue in the handling of text nodes could lead to a crash or arbitrary code execution. (CVE-2011-1344)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 53488
    published 2011-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53488
    title Apple iTunes < 10.2.2 Multiple (credentialed check)
refmap via4
apple
  • APPLE-SA-2011-04-14-1
  • APPLE-SA-2011-04-14-2
  • APPLE-SA-2011-04-14-3
bid 46822
bugtraq
  • 20110414 ZDI-11-135: (Pwn2Own) WebKit WBR Tag Removal Remote Code Execution Vulnerability
  • 20110415 VUPEN Security Research - Apple Safari Text Nodes Remote Use-after-free Vulnerability (CVE-2011-1344)
confirm
misc
sectrack 1025363
secunia
  • 44151
  • 44154
vupen ADV-2011-0984
xf safari-webkit-unspec-code-exec(66061)
Last major update 30-03-2012 - 00:00
Published 10-03-2011 - 15:55
Last modified 09-10-2018 - 15:30
Back to Top