ref_fuzz and other fun bugs

[Michal Zalewski <lcamtuf () coredump cx>]

Belated, but here are some recent bugs that you guys might find interesting:

1) DOM reference fuzzer, originally developed in 2008, crashed every
browser on the market back then. This tool attempts to crawl the DOM
object hierarchy from a particular starting point, collects object
references discovered during the crawl by recursively calling methods
and examining properties, and then reuses them in various ways after
destroying the original object. In essence, the goal is to find
use-after-free conditions across the browser codebase.

Several of the bugs triggered by the fuzzer were rediscovered
independently in the two years it took vendors to investigate; most
notably, looks like the winning Pwn2own bug is a duplicate of this.
The release of Microsoft MS10-035 and Apple APPLE-SA-2010-06-21-1
probably fixes the last of the known exploitable issues triggered by
this tool. Likely not a great argument in favor of vendor-dependent
disclosure.

Additional info:
http://lcamtuf.blogspot.com/2010/06/announcing-reffuzz-2yo-fuzzer.html
Link to the fuzzer: http://lcamtuf.coredump.cx/ref_fuzz5.html

2) Safari SOP bypass (CVE-2010-0544) - a difference between KURL and
CFNetwork URL parsing allows content fetched from different origins to
be considered same-origin when a particular obscure loophole in
RFC1630 used. The backstory on this vulnerability is probably
interesting, but it does not feel appropriate to paste it here in its
entirety.

Additional info:
http://lcamtuf.blogspot.com/2010/06/safari-tale-of-betrayal-and-revenge.html
Link to PoC: http://lcamtuf.coredump.cx/sfbypass/

3) Address bar spoofing in Firefox (CVE-2010-1206) - an
usability-related exception causes the destination URL to be inserted
in the address bar before the destination site is actually loaded; by
calling window.stop() or navigating to HTTP 204, it is possible to
keep this URL while rendering arbitrary attacker-controlled window
contents:

Additional info:
http://lcamtuf.blogspot.com/2010/06/yeah-about-that-address-bar-thing.html
Firefox PoC: http://lcamtuf.coredump.cx/ffox_spoof.html
Related behavior in Safari: http://lcamtuf.coredump.cx/safari_spoof.html

4) Some more fun with selective mid-keystroke focus redirection in
WebKit-based browsers (CVE-2010-1422) - see
http://seclists.org/fulldisclosure/2010/Mar/232 for original
description of the vulnerability; as it turns out, the attack scenario
- where a malicious top-level window selectively redirects keystrokes
to a hidden frame - can also be trivially reversed. This allows a
malicious gadget embedded on a trusted page (say, a social site or a
search engine) to steal any text entered in the parent.

Additional info:
http://lcamtuf.blogspot.com/2010/06/curse-of-inverse-strokejacking.html
Link to PoC: http://lcamtuf.coredump.cx/webkit-focus/toplevel2.html

/mz