var-200803-0229
Vulnerability from variot
Buffer overflow in WebKit, as used in Apple Safari before 3.1, allows remote attackers to execute arbitrary code via crafted regular expressions in JavaScript. Apple Safari is prone to 12 security vulnerabilities. Attackers may exploit these issues to execute arbitrary code, steal cookie-based authentication credentials, spoof secure websites, obtain sensitive information, and crash the affected application. Other attacks are also possible. These issues affect versions prior to Apple Safari 3.1 running on Apple Mac OS X 10.4.1 and 10.5.2, Microsoft Windows XP, and Windows Vista. NOTE: This BID is being retired. NOTE: This vulnerability was previously covered in BID 28290 (Apple Safari Prior to 3.1 Multiple Security Vulnerabilities), but has been given its own record to better document the issue. Safari is the WEB browser bundled with the Apple family operating system by default. ----------------------------------------------------------------------
Secunia Network Software Inspector 2.0 (NSI) - Public Beta
4 days left of beta period.
The 1st generation of the Secunia Network Software Inspector (NSI) has been available for corporate users for almost 1 year and its been a tremendous success.
The 2nd generation Secunia NSI is built on the same technology as the award winning Secunia PSI, which has already been downloaded and installed on more than 400,000 computers world wide.
For more information: SA29393
SOLUTION: Apply updated packages via the yum utility ("yum update WebKit").
Note: Updated packages for midori and kazehakase have also been issued, which have been rebuilt against the new WebKit library. ----------------------------------------------------------------------
A new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI has been released. The new version includes many new and advanced features, which makes it even easier to stay patched.
Download and test it today: https://psi.secunia.com/
Read more about this new version: https://psi.secunia.com/?page=changelog
TITLE: Apple Safari Multiple Vulnerabilities
SECUNIA ADVISORY ID: SA29393
VERIFY ADVISORY: http://secunia.com/advisories/29393/
CRITICAL: Highly critical
IMPACT: Security Bypass, Cross Site Scripting, Exposure of sensitive information, System access
WHERE:
From remote
SOFTWARE: Safari 3.x http://secunia.com/product/17989/ Safari 2.x http://secunia.com/product/5289/
DESCRIPTION: Some vulnerabilities have been reported in Safari, which can be exploited by malicious people to bypass certain security restrictions, conduct cross-site scripting attacks, or to compromise a vulnerable system.
2) An error exists the handling of web pages that have explicitly set the document.domain property. This can be exploited to conduct cross-site scripting attacks in sites that set the document.domain property or between HTTP and HTTPS sites with the same document.domain.
3) An error in Web Inspector can be exploited to inject script code that will run in other domains and can read the user's file system when a specially crafted page is inspected.
4) A security issue exists with the Kotoeri input method, which can result in exposing the password field on the display when reverse conversion is requested.
5) An error within the handling of the "window.open()" function can be used to change the security context of a web page to the caller's context.
6) The frame navigation policy is not enforced for Java applets. This can be exploited to conduct cross-site scripting attacks using java and to gain escalated privileges by enticing a user to open a specially crafted web page.
7) An unspecified error in the handling of the document.domain property can be exploited to conduct cross-site scripting attacks when a user visits a specially crafted web page.
8) An error exists in the handling of the history object. This can be exploited to inject javascript code that will run in the context of other frames.
Successful exploitation allows execution of arbitrary code.
10) An error in WebKit allows method instances from one frame to be called in the context of another frame. This can be exploited to conduct cross-site scripting attacks.
SOLUTION: Update to version 3.1.
PROVIDED AND/OR DISCOVERED BY: 1) Robert Swiecki of Google Information Security Team 2, 3, 5, 6) Adam Barth and Collin Jackson of Stanford University 10) Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy and Will Drewry of Google Security Team
ORIGINAL ADVISORY: Apple: http://docs.info.apple.com/article.html?artnum=307563
About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.
Subscribe: http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/
Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.
Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org
. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Core Security Technologies - CoreLabs Advisory
http://www.coresecurity.com/corelabs/
VLC media player XSPF Memory Corruption
- Advisory Information
Title: VLC media player XSPF Memory Corruption Advisory ID: CORE-2008-1010 Advisory URL: http://www.coresecurity.com/content/vlc-xspf-memory-corruption Date published: 2008-10-14 Date of last update: 2008-10-14 Vendors contacted: VLC Release mode: Coordinated release
- Vulnerability Information
Class: Memory corruption Remotely Exploitable: Yes (client side) Locally Exploitable: No Bugtraq ID: N/A CVE Name: N/A
- Vulnerability Description
VLC media player is an open-source, highly portable multimedia player for various audio and video formats, as well as DVDs, VCDs, and various streaming protocols. It can also be used as a server to stream in unicast or multicast in IPv4 or IPv6 on a high-bandwidth network.
VLC media player is vulnerable to a memory corruption vulnerability, which can be exploited by malicious remote attackers to compromise a user's system, by providing a specially crafted XSPF playlist file. The vulnerability exists because the VLC ('demux/playlist/xspf.c') library does not properly perform bounds-checking on an 'identifier' tag from an XSPF file before using it to index an array on the heap. This can be exploited to overwrite an arbitrary memory address in the context of the VLC media player process, and eventually get arbitrary code execution by opening a specially crafted file.
- Vulnerable packages
. VLC media player 0.9.2
- Non-vulnerable packages
. VLC media player 0.9.3 (no official binary files available for Windows platform) . VLC media player 0.9.4
- Vendor Information, Solutions and Workarounds
Update to VLC media player 0.9.4, available at http://www.videolan.org/vlc/.
- Credits
This vulnerability was discovered and researched by Francisco Falcon from Core Security Technologies.
- Technical Description / Proof of Concept Code
VLC media player has support for the XML-based XSPF playlist format [1]. Every track in an XSPF playlist has a number of attributes, such as 'identifier, location, title and duration'. The 'identifier' attribute is a numeric value that indicates the position of the track in the tracklist. Here's a sample playlist in XSPF format:
/-----------
Sample playlist C:\my-playlist.xspf 0 C:\My%20music\track1.mp3 239099 1 C:\My%20music\track2.mp3 2 C:\My%20music\track3.mp3
- -----------/
VLC media player's XSPF playlist format parser ('demux/playlist/xspf.c') does not properly perform bounds-checking before using the 'identifier' attribute value to index an array on the heap to write data on it.
In the first place, the parser reads the 'identifier' attribute of a track and converts its value to 'int' type using the 'atoi' function from the standard C library, and saves it to the 'i_identifier' field of a 'demux_sys_t' structure:
/-----------
575 else if( !strcmp( p_handler->name, "identifier" ) ) 576 { 577 p_demux->p_sys->i_identifier = atoi( psz_value ); 578 }
- -----------/
After that, at lines 501-502, the parser compares 'i_identifier' with 'i_tracklist_entries'. This last field is a counter that holds the number of tracklist entries that were successfully parsed at the moment.
If 'i_identifier' is less than 'i_tracklist_entries', the value of 'i_identifier' is used to index the 'pp_tracklist' array, and 'p_new_input' is written on that position (at line '505').
/-----------
501 if( p_demux->p_sys->i_identifier < 502 p_demux->p_sys->i_tracklist_entries ) 503 { 504 p_demux->p_sys->pp_tracklist[ 505 p_demux->p_sys->i_identifier ] = p_new_input; 506 }
- -----------/
Since the XSPF parser does not perform bounds-checking before indexing the array to write on it, and having 'i_identifier' fully controlled by the user, an attacker may overwrite almost any memory address with 'p_new_input'.
This is the disassembled vulnerable code:
/-----------
70246981 . 39C2 CMP EDX,EAX ; i_identifier < i_tracklist_entries? 70246983 . 7D 29 JGE SHORT libplayl.702469AE 70246985 . 8B2B MOV EBP,DWORD PTR DS:[EBX] ; EBP = pp_tracklist = 0 70246987 . 8B7C24 44 MOV EDI,DWORD PTR SS:[ESP+44] ; EDI = p_new_input 7024698B . 897C95 00 MOV DWORD PTR SS:[EBP+EDX*4],EDI ; Saves p_new_input in pp_tracklist[i_identifier]
- -----------/
At this point, when parsing the first track of the playlist, 'i_tracklist_entries' value is 0. The parser performs a signed comparison between 'i_identifier' and 'i_tracklist_entries', so by providing a negative value for 'i_identifier', an attacker can avoid that conditional JGE jump to be executed. After that, EBP is always 0 and the attacker controls EDX, so he can write 'p_new_input' to almost any memory address aligned to a 4-byte boundary. 'p_new_input' is a pointer to a structure of type 'input_item_t', that holds information about the playlist item being processed. At 'p_new_input + 0x10' there is a pointer to the track filename (provided by the 'location' attribute), excluding the path.
This track filename (which is UTF-8 encoded) is controlled by the user too, so if an attacker overwrites a specially chosen memory address and the program executes some instructions that load 'p_new_input' into a CPU register and perform an indirect call like 'CALL DWORD[R32 + 0x10]' (where R32 is a 32-bit register), it will be possible to get arbitrary code execution with the privileges of the current user.
The following Python code will generate an XSPF file that, when opened with VLC media player 0.9.2, will crash the application when trying to write 'p_new_input' to memory address 41424344.
/-----------
xspf_file_content = '''
XSPF PoC C:\My%20Music\playlist.xspf -1873768239 C:\My%20Music\Track1.mp3 239099 '''
crafted_xspf_file = open('playlist.xspf','w') crafted_xspf_file.write(xspf_file_content) crafted_xspf_file.close()
-
-----------/
-
Report Timeline
2008-10-10: Core Security Technologies notifies the VLC team of the vulnerability, and that the advisory CORE-2008-1010 will be published on October 14th, since the vulnerability is already fixed in VLC versions 0.9.3 and 0.9.4. 2008-10-12: VLC team confirms that the vulnerability has been fixed (the vulnerability was discovered and fixed by the VLC team on September 15th). 2008-10-14: Advisory CORE-2008-1010 is published.
- References
[1] XSPF format http://www.xspf.org/
- About CoreLabs
CoreLabs, the research center of Core Security Technologies, is charged with anticipating the future needs and requirements for information security technologies. We conduct our research in several important areas of computer security including system vulnerabilities, cyber attack planning and simulation, source code auditing, and cryptography. Our results include problem formalization, identification of vulnerabilities, novel solutions and prototypes for new technologies. CoreLabs regularly publishes security advisories, technical papers, project information and shared software tools for public use at: http://www.coresecurity.com/corelabs.
- About Core Security Technologies
Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their networks. The company's flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. CORE IMPACT evaluates network, endpoint and end-user vulnerabilities and identifies what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core Security Technologies augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at http://www.coresecurity.com.
- Disclaimer
The contents of this advisory are copyright (c) 2008 Core Security Technologies and (c) 2008 CoreLabs, and may be distributed freely provided that no fee is charged for this distribution and proper credit is given.
- PGP/GPG Keys
This advisory has been signed with the GPG key of Core Security Technologies advisories team, which is available for download at http://www.coresecurity.com/files/attachments/core_security_advisories.asc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkj1DEkACgkQyNibggitWa2M+ACghrS9hKB5saDl3ufp69iJ46P5 DHoAn2Ygu5INc0u2P+tW+m+JZATCFXp0 =LilF -----END PGP SIGNATURE-----
Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Show details on source website{
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
"affected_products": {
"@id": "https://www.variotdbs.pl/ref/affected_products"
},
"configurations": {
"@id": "https://www.variotdbs.pl/ref/configurations"
},
"credits": {
"@id": "https://www.variotdbs.pl/ref/credits"
},
"cvss": {
"@id": "https://www.variotdbs.pl/ref/cvss/"
},
"description": {
"@id": "https://www.variotdbs.pl/ref/description/"
},
"exploit_availability": {
"@id": "https://www.variotdbs.pl/ref/exploit_availability/"
},
"external_ids": {
"@id": "https://www.variotdbs.pl/ref/external_ids/"
},
"iot": {
"@id": "https://www.variotdbs.pl/ref/iot/"
},
"iot_taxonomy": {
"@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
},
"patch": {
"@id": "https://www.variotdbs.pl/ref/patch/"
},
"problemtype_data": {
"@id": "https://www.variotdbs.pl/ref/problemtype_data/"
},
"references": {
"@id": "https://www.variotdbs.pl/ref/references/"
},
"sources": {
"@id": "https://www.variotdbs.pl/ref/sources/"
},
"sources_release_date": {
"@id": "https://www.variotdbs.pl/ref/sources_release_date/"
},
"sources_update_date": {
"@id": "https://www.variotdbs.pl/ref/sources_update_date/"
},
"threat_type": {
"@id": "https://www.variotdbs.pl/ref/threat_type/"
},
"title": {
"@id": "https://www.variotdbs.pl/ref/title/"
},
"type": {
"@id": "https://www.variotdbs.pl/ref/type/"
}
},
"@id": "https://www.variotdbs.pl/vuln/VAR-200803-0229",
"affected_products": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/affected_products#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"model": "safari",
"scope": "eq",
"trust": 2.2,
"vendor": "apple",
"version": "2.0.4"
},
{
"model": "safari",
"scope": "eq",
"trust": 2.2,
"vendor": "apple",
"version": "2.0.2"
},
{
"model": "safari",
"scope": "eq",
"trust": 2.2,
"vendor": "apple",
"version": "1.3"
},
{
"model": "safari",
"scope": "eq",
"trust": 2.2,
"vendor": "apple",
"version": "1.2"
},
{
"model": "safari",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "1.3.1"
},
{
"model": "safari",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "1.1"
},
{
"model": "safari",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "1.0"
},
{
"model": "safari",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "3.0"
},
{
"model": "safari",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "3.0.4"
},
{
"model": "safari",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "3.0.3"
},
{
"model": "safari",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "3.0.2"
},
{
"model": "safari",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "3.0.1"
},
{
"model": "safari",
"scope": "eq",
"trust": 1.6,
"vendor": "apple",
"version": "2.0"
},
{
"model": "safari",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "0.8"
},
{
"model": "safari",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "1.3.2"
},
{
"model": "safari",
"scope": "eq",
"trust": 1.0,
"vendor": "apple",
"version": "0.9"
},
{
"model": "safari",
"scope": "lt",
"trust": 0.8,
"vendor": "apple",
"version": "version"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "v10.5.2"
},
{
"model": "safari",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "3.1"
},
{
"model": "mac os x",
"scope": "eq",
"trust": 0.8,
"vendor": "apple",
"version": "v10.4.11"
},
{
"model": "safari beta for windows",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "3.0.4"
},
{
"model": "safari beta for windows",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "3.0.3"
},
{
"model": "safari beta",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "3.0.3"
},
{
"model": "safari beta for windows",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "3.0.2"
},
{
"model": "safari beta",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "3.0.2"
},
{
"model": "safari beta for windows",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "3.0.1"
},
{
"model": "safari beta",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "3.0.1"
},
{
"model": "safari",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "2.0.3"
},
{
"model": "safari",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "2.0.1"
},
{
"model": "safari",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "1.2.3"
},
{
"model": "safari",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "1.2.2"
},
{
"model": "safari",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "1.2.1"
},
{
"model": "safari beta",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "2"
},
{
"model": "safari beta for windows",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "3"
},
{
"model": "safari beta",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "3"
},
{
"model": "safari",
"scope": "eq",
"trust": 0.6,
"vendor": "apple",
"version": "3"
},
{
"model": "safari",
"scope": "ne",
"trust": 0.6,
"vendor": "apple",
"version": "3.1"
},
{
"model": "midori",
"scope": "eq",
"trust": 0.3,
"vendor": "midori",
"version": "0.3.2"
}
],
"sources": [
{
"db": "BID",
"id": "28290"
},
{
"db": "BID",
"id": "28338"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-001196"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-307"
},
{
"db": "NVD",
"id": "CVE-2008-1010"
}
]
},
"configurations": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/configurations#",
"children": {
"@container": "@list"
},
"cpe_match": {
"@container": "@list"
},
"data": {
"@container": "@list"
},
"nodes": {
"@container": "@list"
}
},
"data": [
{
"CVE_data_version": "4.0",
"nodes": [
{
"cpe_match": [
{
"cpe22Uri": "cpe:/o:apple:mac_os_x",
"vulnerable": true
},
{
"cpe22Uri": "cpe:/a:apple:safari",
"vulnerable": true
}
],
"operator": "OR"
}
]
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-001196"
}
]
},
"credits": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/credits#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Robert Swiecki robert@swiecki.netAdam BarthCollin Jackson collinj@cs.stanford.eduEric SeidelTavis Ormandy taviso@gentoo.orgWill Drewry wad@google.com",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200803-307"
}
],
"trust": 0.6
},
"cve": "CVE-2008-1010",
"cvss": {
"@context": {
"cvssV2": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
},
"cvssV3": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
},
"severity": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/cvss/severity#"
},
"@id": "https://www.variotdbs.pl/ref/cvss/severity"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
},
"@id": "https://www.variotdbs.pl/ref/sources"
}
},
"data": [
{
"cvssV2": [
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "nvd@nist.gov",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "CVE-2008-1010",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 1.8,
"vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
{
"accessComplexity": "MEDIUM",
"accessVector": "NETWORK",
"authentication": "NONE",
"author": "VULHUB",
"availabilityImpact": "PARTIAL",
"baseScore": 6.8,
"confidentialityImpact": "PARTIAL",
"exploitabilityScore": 8.6,
"id": "VHN-31135",
"impactScore": 6.4,
"integrityImpact": "PARTIAL",
"severity": "MEDIUM",
"trust": 0.1,
"vectorString": "AV:N/AC:M/AU:N/C:P/I:P/A:P",
"version": "2.0"
}
],
"cvssV3": [],
"severity": [
{
"author": "nvd@nist.gov",
"id": "CVE-2008-1010",
"trust": 1.0,
"value": "MEDIUM"
},
{
"author": "NVD",
"id": "CVE-2008-1010",
"trust": 0.8,
"value": "Medium"
},
{
"author": "CNNVD",
"id": "CNNVD-200803-307",
"trust": 0.6,
"value": "MEDIUM"
},
{
"author": "VULHUB",
"id": "VHN-31135",
"trust": 0.1,
"value": "MEDIUM"
}
]
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-31135"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-001196"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-307"
},
{
"db": "NVD",
"id": "CVE-2008-1010"
}
]
},
"description": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/description#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Buffer overflow in WebKit, as used in Apple Safari before 3.1, allows remote attackers to execute arbitrary code via crafted regular expressions in JavaScript. Apple Safari is prone to 12 security vulnerabilities. \nAttackers may exploit these issues to execute arbitrary code, steal cookie-based authentication credentials, spoof secure websites, obtain sensitive information, and crash the affected application. Other attacks are also possible. \nThese issues affect versions prior to Apple Safari 3.1 running on Apple Mac OS X 10.4.1 and 10.5.2, Microsoft Windows XP, and Windows Vista. \nNOTE: This BID is being retired. \nNOTE: This vulnerability was previously covered in BID 28290 (Apple Safari Prior to 3.1 Multiple Security Vulnerabilities), but has been given its own record to better document the issue. Safari is the WEB browser bundled with the Apple family operating system by default. ----------------------------------------------------------------------\n\nSecunia Network Software Inspector 2.0 (NSI) - Public Beta\n\n4 days left of beta period. \n\nThe 1st generation of the Secunia Network Software Inspector (NSI)\nhas been available for corporate users for almost 1 year and its been\na tremendous success. \n\nThe 2nd generation Secunia NSI is built on the same technology as the\naward winning Secunia PSI, which has already been downloaded and\ninstalled on more than 400,000 computers world wide. \n\nFor more information:\nSA29393\n\nSOLUTION:\nApply updated packages via the yum utility (\"yum update WebKit\"). \n\nNote: Updated packages for midori and kazehakase have also been\nissued, which have been rebuilt against the new WebKit library. ----------------------------------------------------------------------\n\nA new version (0.9.0.0 - Release Candidate 1) of the free Secunia PSI\nhas been released. The new version includes many new and advanced\nfeatures, which makes it even easier to stay patched. \n\nDownload and test it today:\nhttps://psi.secunia.com/\n\nRead more about this new version:\nhttps://psi.secunia.com/?page=changelog\n\n----------------------------------------------------------------------\n\nTITLE:\nApple Safari Multiple Vulnerabilities\n\nSECUNIA ADVISORY ID:\nSA29393\n\nVERIFY ADVISORY:\nhttp://secunia.com/advisories/29393/\n\nCRITICAL:\nHighly critical\n\nIMPACT:\nSecurity Bypass, Cross Site Scripting, Exposure of sensitive\ninformation, System access\n\nWHERE:\n\u003eFrom remote\n\nSOFTWARE:\nSafari 3.x\nhttp://secunia.com/product/17989/\nSafari 2.x\nhttp://secunia.com/product/5289/\n\nDESCRIPTION:\nSome vulnerabilities have been reported in Safari, which can be\nexploited by malicious people to bypass certain security\nrestrictions, conduct cross-site scripting attacks, or to compromise\na vulnerable system. \n\n2) An error exists the handling of web pages that have explicitly set\nthe document.domain property. This can be exploited to conduct\ncross-site scripting attacks in sites that set the document.domain\nproperty or between HTTP and HTTPS sites with the same\ndocument.domain. \n\n3) An error in Web Inspector can be exploited to inject script code\nthat will run in other domains and can read the user\u0027s file system\nwhen a specially crafted page is inspected. \n\n4) A security issue exists with the Kotoeri input method, which can\nresult in exposing the password field on the display when reverse\nconversion is requested. \n\n5) An error within the handling of the \"window.open()\" function can\nbe used to change the security context of a web page to the caller\u0027s\ncontext. \n\n6) The frame navigation policy is not enforced for Java applets. This\ncan be exploited to conduct cross-site scripting attacks using java\nand to gain escalated privileges by enticing a user to open a\nspecially crafted web page. \n\n7) An unspecified error in the handling of the document.domain\nproperty can be exploited to conduct cross-site scripting attacks\nwhen a user visits a specially crafted web page. \n\n8) An error exists in the handling of the history object. This can be\nexploited to inject javascript code that will run in the context of\nother frames. \n\nSuccessful exploitation allows execution of arbitrary code. \n\n10) An error in WebKit allows method instances from one frame to be\ncalled in the context of another frame. This can be exploited to\nconduct cross-site scripting attacks. \n\nSOLUTION:\nUpdate to version 3.1. \n\nPROVIDED AND/OR DISCOVERED BY:\n1) Robert Swiecki of Google Information Security Team\n2, 3, 5, 6) Adam Barth and Collin Jackson of Stanford University\n10) Eric Seidel of the WebKit Open Source Project, and Tavis Ormandy\nand Will Drewry of Google Security Team\n\nORIGINAL ADVISORY:\nApple:\nhttp://docs.info.apple.com/article.html?artnum=307563\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n. -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA1\n\n Core Security Technologies - CoreLabs Advisory\n http://www.coresecurity.com/corelabs/\n\n VLC media player XSPF Memory Corruption\n\n\n1. *Advisory Information*\n\nTitle: VLC media player XSPF Memory Corruption\nAdvisory ID: CORE-2008-1010\nAdvisory URL: http://www.coresecurity.com/content/vlc-xspf-memory-corruption\nDate published: 2008-10-14\nDate of last update: 2008-10-14\nVendors contacted: VLC\nRelease mode: Coordinated release\n\n\n2. *Vulnerability Information*\n\nClass: Memory corruption\nRemotely Exploitable: Yes (client side)\nLocally Exploitable: No\nBugtraq ID: N/A\nCVE Name: N/A\n\n\n3. *Vulnerability Description*\n\nVLC media player is an open-source, highly portable multimedia player\nfor various audio and video formats, as well as DVDs, VCDs, and various\nstreaming protocols. It can also be used as a server to stream in\nunicast or multicast in IPv4 or IPv6 on a high-bandwidth network. \n\nVLC media player is vulnerable to a memory corruption vulnerability,\nwhich can be exploited by malicious remote attackers to compromise a\nuser\u0027s system, by providing a specially crafted XSPF playlist file. The\nvulnerability exists because the VLC (\u0027demux/playlist/xspf.c\u0027) library\ndoes not properly perform bounds-checking on an \u0027identifier\u0027 tag from an\nXSPF file before using it to index an array on the heap. This can be\nexploited to overwrite an arbitrary memory address in the context of the\nVLC media player process, and eventually get arbitrary code execution by\nopening a specially crafted file. \n\n\n4. *Vulnerable packages*\n\n . VLC media player 0.9.2\n\n\n5. *Non-vulnerable packages*\n\n . VLC media player 0.9.3 (no official binary files available for\nWindows platform)\n . VLC media player 0.9.4\n\n\n6. *Vendor Information, Solutions and Workarounds*\n\nUpdate to VLC media player 0.9.4, available at\nhttp://www.videolan.org/vlc/. \n\n\n7. *Credits*\n\nThis vulnerability was discovered and researched by Francisco Falcon\nfrom Core Security Technologies. \n\n\n8. *Technical Description / Proof of Concept Code*\n\nVLC media player has support for the XML-based XSPF playlist format [1]. \nEvery track in an XSPF playlist has a number of attributes, such as\n\u0027identifier, location, title and duration\u0027. The \u0027identifier\u0027 attribute\nis a numeric value that indicates the position of the track in the\ntracklist. Here\u0027s a sample playlist in XSPF format:\n\n/-----------\n\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003cplaylist version=\"1\" xmlns=\"http://xspf.org/ns/0/\"\u003e\n\t\u003ctitle\u003eSample playlist\u003c/title\u003e\n\t\u003clocation\u003eC:\\my-playlist.xspf\u003c/location\u003e\n\t\u003ctrackList\u003e\n\t\t\u003ctrack\u003e\n\t\t\t\u003cidentifier\u003e0\u003c/identifier\u003e\n\t\t\t\u003clocation\u003eC:\\My%20music\\track1.mp3\u003c/location\u003e\n\t\t\t\u003cextension application=\"http://www.videolan.org/vlc/playlist/0\"\u003e\n\t\t\t\u003c/extension\u003e\n\t\t\t\u003cduration\u003e239099\u003c/duration\u003e\n\t\t\u003c/track\u003e\n\t\t\u003ctrack\u003e\n\t\t\t\u003cidentifier\u003e1\u003c/identifier\u003e\n\t\t\t\u003clocation\u003eC:\\My%20music\\track2.mp3\u003c/location\u003e\n\t\t\u003c/track\u003e\n\t\t\u003ctrack\u003e\n\t\t\t\u003cidentifier\u003e2\u003c/identifier\u003e\n\t\t\t\u003clocation\u003eC:\\My%20music\\track3.mp3\u003c/location\u003e\n\t\t\u003c/track\u003e\n\t\u003c/trackList\u003e\n\t\u003cextension application=\"http://www.videolan.org/vlc/playlist/0\"\u003e\n\t\t\u003citem href=\"0\" /\u003e\n\t\t\u003citem href=\"1\" /\u003e\n\t\t\u003citem href=\"2\" /\u003e\n\t\u003c/extension\u003e\n\u003c/playlist\u003e\n\n- -----------/\n\n VLC media player\u0027s XSPF playlist format parser\n(\u0027demux/playlist/xspf.c\u0027) does not properly perform bounds-checking\nbefore using the \u0027identifier\u0027 attribute value to index an array on the\nheap to write data on it. \n\nIn the first place, the parser reads the \u0027identifier\u0027 attribute of a\ntrack and converts its value to \u0027int\u0027 type using the \u0027atoi\u0027 function\nfrom the standard C library, and saves it to the \u0027i_identifier\u0027 field of\na \u0027demux_sys_t\u0027 structure:\n\n/-----------\n\n575 else if( !strcmp( p_handler-\u003ename, \"identifier\" ) )\n576 {\n577 p_demux-\u003ep_sys-\u003ei_identifier = atoi( psz_value );\n578 }\n\n- -----------/\n\n After that, at lines 501-502, the parser compares \u0027i_identifier\u0027 with\n\u0027i_tracklist_entries\u0027. This last field is a counter that holds the\nnumber of tracklist entries that were successfully parsed at the moment. \n\nIf \u0027i_identifier\u0027 is less than \u0027i_tracklist_entries\u0027, the value of\n\u0027i_identifier\u0027 is used to index the \u0027pp_tracklist\u0027 array, and\n\u0027p_new_input\u0027 is written on that position (at line \u0027505\u0027). \n\n/-----------\n\n501\t\tif( p_demux-\u003ep_sys-\u003ei_identifier \u003c\n502 p_demux-\u003ep_sys-\u003ei_tracklist_entries )\n503 {\n504 p_demux-\u003ep_sys-\u003epp_tracklist[\n505 p_demux-\u003ep_sys-\u003ei_identifier ] = p_new_input;\n506 }\n\n- -----------/\n\n Since the XSPF parser does not perform bounds-checking before indexing\nthe array to write on it, and having \u0027i_identifier\u0027 fully controlled by\nthe user, an attacker may overwrite almost any memory address with\n\u0027p_new_input\u0027. \n\nThis is the disassembled vulnerable code:\n\n/-----------\n\n70246981 . 39C2 CMP EDX,EAX ;\ni_identifier \u003c i_tracklist_entries?\n70246983 . 7D 29 JGE SHORT libplayl.702469AE\n70246985 . 8B2B MOV EBP,DWORD PTR DS:[EBX] ;\nEBP = pp_tracklist = 0\n70246987 . 8B7C24 44 MOV EDI,DWORD PTR SS:[ESP+44] ;\nEDI = p_new_input\n7024698B . 897C95 00 MOV DWORD PTR SS:[EBP+EDX*4],EDI ;\nSaves p_new_input in pp_tracklist[i_identifier]\n\n- -----------/\n\n At this point, when parsing the first track of the playlist,\n\u0027i_tracklist_entries\u0027 value is 0. The parser performs a signed\ncomparison between \u0027i_identifier\u0027 and \u0027i_tracklist_entries\u0027, so by\nproviding a negative value for \u0027i_identifier\u0027, an attacker can avoid\nthat conditional JGE jump to be executed. After that, EBP is always 0\nand the attacker controls EDX, so he can write \u0027p_new_input\u0027 to almost\nany memory address aligned to a 4-byte boundary. \u0027p_new_input\u0027 is a\npointer to a structure of type \u0027input_item_t\u0027, that holds information\nabout the playlist item being processed. At \u0027p_new_input + 0x10\u0027 there\nis a pointer to the track filename (provided by the \u0027location\u0027\nattribute), excluding the path. \n\nThis track filename (which is UTF-8 encoded) is controlled by the user\ntoo, so if an attacker overwrites a specially chosen memory address and\nthe program executes some instructions that load \u0027p_new_input\u0027 into a\nCPU register and perform an indirect call like \u0027CALL DWORD[R32 + 0x10]\u0027\n(where R32 is a 32-bit register), it will be possible to get arbitrary\ncode execution with the privileges of the current user. \n\nThe following Python code will generate an XSPF file that, when opened\nwith VLC media player 0.9.2, will crash the application when trying to\nwrite \u0027p_new_input\u0027 to memory address 41424344. \n\n/-----------\n\nxspf_file_content = \u0027\u0027\u0027\n\u003c?xml version=\"1.0\" encoding=\"UTF-8\"?\u003e\n\u003cplaylist version=\"1\" xmlns=\"http://xspf.org/ns/0/\"\u003e\n\u003ctitle\u003eXSPF PoC\u003c/title\u003e\n\u003clocation\u003eC:\\My%20Music\\playlist.xspf\u003c/location\u003e\n\u003ctrackList\u003e\n\u003ctrack\u003e\n\u003cidentifier\u003e-1873768239\u003c/identifier\u003e\n\u003clocation\u003eC:\\My%20Music\\Track1.mp3\u003c/location\u003e\n\u003cextension application=\"http://www.videolan.org/vlc/playlist/0\"\u003e\n\u003c/extension\u003e\n\u003cduration\u003e239099\u003c/duration\u003e\n\u003c/track\u003e\n\u003c/trackList\u003e\n\u003cextension application=\"http://www.videolan.org/vlc/playlist/0\"\u003e\n\u003citem href=\"0\" /\u003e\n\u003c/extension\u003e\n\u003c/playlist\u003e\n\u0027\u0027\u0027\n\ncrafted_xspf_file = open(\u0027playlist.xspf\u0027,\u0027w\u0027)\ncrafted_xspf_file.write(xspf_file_content)\ncrafted_xspf_file.close()\n\n- -----------/\n\n\n9. *Report Timeline*\n\n2008-10-10: Core Security Technologies notifies the VLC team of the\nvulnerability, and that the advisory CORE-2008-1010 will be published on\nOctober 14th, since the vulnerability is already fixed in VLC versions\n0.9.3 and 0.9.4. \n2008-10-12: VLC team confirms that the vulnerability has been fixed (the\nvulnerability was discovered and fixed by the VLC team on September 15th). \n2008-10-14: Advisory CORE-2008-1010 is published. \n\n\n10. *References*\n\n[1] XSPF format http://www.xspf.org/\n\n\n11. *About CoreLabs*\n\nCoreLabs, the research center of Core Security Technologies, is charged\nwith anticipating the future needs and requirements for information\nsecurity technologies. We conduct our research in several important\nareas of computer security including system vulnerabilities, cyber\nattack planning and simulation, source code auditing, and cryptography. \nOur results include problem formalization, identification of\nvulnerabilities, novel solutions and prototypes for new technologies. \nCoreLabs regularly publishes security advisories, technical papers,\nproject information and shared software tools for public use at:\nhttp://www.coresecurity.com/corelabs. \n\n\n12. *About Core Security Technologies*\n\nCore Security Technologies develops strategic solutions that help\nsecurity-conscious organizations worldwide develop and maintain a\nproactive process for securing their networks. The company\u0027s flagship\nproduct, CORE IMPACT, is the most comprehensive product for performing\nenterprise security assurance testing. CORE IMPACT evaluates network,\nendpoint and end-user vulnerabilities and identifies what resources are\nexposed. It enables organizations to determine if current security\ninvestments are detecting and preventing attacks. Core Security\nTechnologies augments its leading technology solution with world-class\nsecurity consulting services, including penetration testing and software\nsecurity auditing. Based in Boston, MA and Buenos Aires, Argentina, Core\nSecurity Technologies can be reached at 617-399-6980 or on the Web at\nhttp://www.coresecurity.com. \n\n\n13. *Disclaimer*\n\nThe contents of this advisory are copyright (c) 2008 Core Security\nTechnologies and (c) 2008 CoreLabs, and may be distributed freely\nprovided that no fee is charged for this distribution and proper credit\nis given. \n\n\n14. *PGP/GPG Keys*\n\nThis advisory has been signed with the GPG key of Core Security\nTechnologies advisories team, which is available for download at\nhttp://www.coresecurity.com/files/attachments/core_security_advisories.asc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.8 (MingW32)\nComment: Using GnuPG with Mozilla - http://enigmail.mozdev.org\n\niEYEARECAAYFAkj1DEkACgkQyNibggitWa2M+ACghrS9hKB5saDl3ufp69iJ46P5\nDHoAn2Ygu5INc0u2P+tW+m+JZATCFXp0\n=LilF\n-----END PGP SIGNATURE-----\n\n_______________________________________________\nFull-Disclosure - We believe in it. \nCharter: http://lists.grok.org.uk/full-disclosure-charter.html\nHosted and sponsored by Secunia - http://secunia.com/\n",
"sources": [
{
"db": "NVD",
"id": "CVE-2008-1010"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-001196"
},
{
"db": "BID",
"id": "28290"
},
{
"db": "BID",
"id": "28338"
},
{
"db": "VULHUB",
"id": "VHN-31135"
},
{
"db": "PACKETSTORM",
"id": "65784"
},
{
"db": "PACKETSTORM",
"id": "64736"
},
{
"db": "PACKETSTORM",
"id": "70936"
}
],
"trust": 2.52
},
"exploit_availability": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/exploit_availability#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"reference": "https://www.scap.org.cn/vuln/vhn-31135",
"trust": 0.1,
"type": "unknown"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-31135"
}
]
},
"external_ids": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/external_ids#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"db": "NVD",
"id": "CVE-2008-1010",
"trust": 2.9
},
{
"db": "BID",
"id": "28290",
"trust": 2.8
},
{
"db": "BID",
"id": "28338",
"trust": 2.8
},
{
"db": "SECTRACK",
"id": "1019654",
"trust": 2.5
},
{
"db": "USCERT",
"id": "TA08-079A",
"trust": 2.5
},
{
"db": "SECUNIA",
"id": "29924",
"trust": 1.8
},
{
"db": "SECUNIA",
"id": "29393",
"trust": 1.8
},
{
"db": "VUPEN",
"id": "ADV-2008-0920",
"trust": 1.7
},
{
"db": "USCERT",
"id": "SA08-079A",
"trust": 0.8
},
{
"db": "JVNDB",
"id": "JVNDB-2008-001196",
"trust": 0.8
},
{
"db": "CNNVD",
"id": "CNNVD-200803-307",
"trust": 0.7
},
{
"db": "CERT/CC",
"id": "TA08-079A",
"trust": 0.6
},
{
"db": "APPLE",
"id": "APPLE-SA-2008-03-18",
"trust": 0.6
},
{
"db": "FEDORA",
"id": "FEDORA-2008-3229",
"trust": 0.6
},
{
"db": "XF",
"id": "41321",
"trust": 0.6
},
{
"db": "PACKETSTORM",
"id": "70936",
"trust": 0.2
},
{
"db": "VULHUB",
"id": "VHN-31135",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "65784",
"trust": 0.1
},
{
"db": "PACKETSTORM",
"id": "64736",
"trust": 0.1
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-31135"
},
{
"db": "BID",
"id": "28290"
},
{
"db": "BID",
"id": "28338"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-001196"
},
{
"db": "PACKETSTORM",
"id": "65784"
},
{
"db": "PACKETSTORM",
"id": "64736"
},
{
"db": "PACKETSTORM",
"id": "70936"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-307"
},
{
"db": "NVD",
"id": "CVE-2008-1010"
}
]
},
"id": "VAR-200803-0229",
"iot": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/iot#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": true,
"sources": [
{
"db": "VULHUB",
"id": "VHN-31135"
}
],
"trust": 0.01
},
"last_update_date": "2024-11-23T20:35:28.514000Z",
"patch": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/patch#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"title": "Safari 3.1",
"trust": 0.8,
"url": "http://support.apple.com/kb/HT1315"
},
{
"title": "Safari 3.1",
"trust": 0.8,
"url": "http://docs.info.apple.com/article.html?artnum=307563-ja"
}
],
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-001196"
}
]
},
"problemtype_data": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"problemtype": "CWE-119",
"trust": 1.9
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-31135"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-001196"
},
{
"db": "NVD",
"id": "CVE-2008-1010"
}
]
},
"references": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/references#",
"data": {
"@container": "@list"
},
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": [
{
"trust": 2.5,
"url": "http://www.securityfocus.com/bid/28290"
},
{
"trust": 2.5,
"url": "http://www.securityfocus.com/bid/28338"
},
{
"trust": 2.5,
"url": "http://www.us-cert.gov/cas/techalerts/ta08-079a.html"
},
{
"trust": 2.5,
"url": "http://www.securitytracker.com/id?1019654"
},
{
"trust": 2.4,
"url": "http://docs.info.apple.com/article.html?artnum=307563"
},
{
"trust": 1.8,
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-april/msg00402.html"
},
{
"trust": 1.7,
"url": "http://lists.apple.com/archives/security-announce/2008/mar/msg00000.html"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/29393"
},
{
"trust": 1.7,
"url": "http://secunia.com/advisories/29924"
},
{
"trust": 1.4,
"url": "http://www.frsirt.com/english/advisories/2008/0920/references"
},
{
"trust": 1.1,
"url": "http://www.vupen.com/english/advisories/2008/0920/references"
},
{
"trust": 1.1,
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41321"
},
{
"trust": 0.8,
"url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-1010"
},
{
"trust": 0.8,
"url": "http://jvn.jp/cert/jvnta08-079a/index.html"
},
{
"trust": 0.8,
"url": "http://jvn.jp/tr/trta08-079a/index.html"
},
{
"trust": 0.8,
"url": "http://nvd.nist.gov/nvd.cfm?cvename=cve-2008-1010"
},
{
"trust": 0.8,
"url": "http://www.us-cert.gov/cas/alerts/sa08-079a.html"
},
{
"trust": 0.6,
"url": "http://xforce.iss.net/xforce/xfdb/41321"
},
{
"trust": 0.3,
"url": "http://www.apple.com/safari/"
},
{
"trust": 0.3,
"url": "http://www.apple.com/safari/download/"
},
{
"trust": 0.2,
"url": "http://secunia.com/advisories/29393/"
},
{
"trust": 0.2,
"url": "http://secunia.com/secunia_security_advisories/"
},
{
"trust": 0.2,
"url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
},
{
"trust": 0.2,
"url": "http://secunia.com/about_secunia_advisories/"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-april/msg00401.html"
},
{
"trust": 0.1,
"url": "http://secunia.com/network_software_inspector_2/"
},
{
"trust": 0.1,
"url": "https://www.redhat.com/archives/fedora-package-announce/2008-april/msg00400.html"
},
{
"trust": 0.1,
"url": "http://secunia.com/advisories/29924/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/16769/"
},
{
"trust": 0.1,
"url": "https://psi.secunia.com/?page=changelog"
},
{
"trust": 0.1,
"url": "https://psi.secunia.com/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/5289/"
},
{
"trust": 0.1,
"url": "http://secunia.com/product/17989/"
},
{
"trust": 0.1,
"url": "http://www.videolan.org/vlc/."
},
{
"trust": 0.1,
"url": "http://www.videolan.org/vlc/playlist/0\"\u003e"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/files/attachments/core_security_advisories.asc."
},
{
"trust": 0.1,
"url": "http://enigmail.mozdev.org"
},
{
"trust": 0.1,
"url": "http://www.xspf.org/"
},
{
"trust": 0.1,
"url": "http://xspf.org/ns/0/\"\u003e"
},
{
"trust": 0.1,
"url": "http://secunia.com/"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/corelabs."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com."
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/corelabs/"
},
{
"trust": 0.1,
"url": "https://nvd.nist.gov/vuln/detail/cve-2008-1010"
},
{
"trust": 0.1,
"url": "http://lists.grok.org.uk/full-disclosure-charter.html"
},
{
"trust": 0.1,
"url": "http://www.coresecurity.com/content/vlc-xspf-memory-corruption"
}
],
"sources": [
{
"db": "VULHUB",
"id": "VHN-31135"
},
{
"db": "BID",
"id": "28290"
},
{
"db": "BID",
"id": "28338"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-001196"
},
{
"db": "PACKETSTORM",
"id": "65784"
},
{
"db": "PACKETSTORM",
"id": "64736"
},
{
"db": "PACKETSTORM",
"id": "70936"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-307"
},
{
"db": "NVD",
"id": "CVE-2008-1010"
}
]
},
"sources": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#",
"data": {
"@container": "@list"
}
},
"data": [
{
"db": "VULHUB",
"id": "VHN-31135"
},
{
"db": "BID",
"id": "28290"
},
{
"db": "BID",
"id": "28338"
},
{
"db": "JVNDB",
"id": "JVNDB-2008-001196"
},
{
"db": "PACKETSTORM",
"id": "65784"
},
{
"db": "PACKETSTORM",
"id": "64736"
},
{
"db": "PACKETSTORM",
"id": "70936"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-307"
},
{
"db": "NVD",
"id": "CVE-2008-1010"
}
]
},
"sources_release_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2008-03-19T00:00:00",
"db": "VULHUB",
"id": "VHN-31135"
},
{
"date": "2008-03-18T00:00:00",
"db": "BID",
"id": "28290"
},
{
"date": "2008-03-18T00:00:00",
"db": "BID",
"id": "28338"
},
{
"date": "2008-04-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2008-001196"
},
{
"date": "2008-04-28T14:37:56",
"db": "PACKETSTORM",
"id": "65784"
},
{
"date": "2008-03-20T00:11:50",
"db": "PACKETSTORM",
"id": "64736"
},
{
"date": "2008-10-15T06:27:36",
"db": "PACKETSTORM",
"id": "70936"
},
{
"date": "2008-03-18T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200803-307"
},
{
"date": "2008-03-19T00:44:00",
"db": "NVD",
"id": "CVE-2008-1010"
}
]
},
"sources_update_date": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
"data": {
"@container": "@list"
}
},
"data": [
{
"date": "2017-08-08T00:00:00",
"db": "VULHUB",
"id": "VHN-31135"
},
{
"date": "2008-03-20T20:40:00",
"db": "BID",
"id": "28290"
},
{
"date": "2015-04-13T20:56:00",
"db": "BID",
"id": "28338"
},
{
"date": "2008-04-04T00:00:00",
"db": "JVNDB",
"id": "JVNDB-2008-001196"
},
{
"date": "2008-10-11T00:00:00",
"db": "CNNVD",
"id": "CNNVD-200803-307"
},
{
"date": "2024-11-21T00:43:26.970000",
"db": "NVD",
"id": "CVE-2008-1010"
}
]
},
"threat_type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/threat_type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "remote",
"sources": [
{
"db": "PACKETSTORM",
"id": "70936"
},
{
"db": "CNNVD",
"id": "CNNVD-200803-307"
}
],
"trust": 0.7
},
"title": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/title#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "Apple Safari of WebKit Vulnerable to buffer overflow",
"sources": [
{
"db": "JVNDB",
"id": "JVNDB-2008-001196"
}
],
"trust": 0.8
},
"type": {
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/type#",
"sources": {
"@container": "@list",
"@context": {
"@vocab": "https://www.variotdbs.pl/ref/sources#"
}
}
},
"data": "buffer overflow",
"sources": [
{
"db": "CNNVD",
"id": "CNNVD-200803-307"
}
],
"trust": 0.6
}
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.