National Vulnerability Database (NVD) National Vulnerability Database (CVE-2011-1344)

National Cyber Awareness System

Vulnerability Summary for CVE-2011-1344

Original release date:03/10/2011

Last revised:03/30/2012

Source: US-CERT/NIST

Overview

Use-after-free vulnerability in WebKit, as used in Apple Safari before 5.0.5; iOS before 4.3.2 for iPhone, iPod, and iPad; iOS before 4.2.7 for iPhone 4 (CDMA); and possibly other products allows remote attackers to execute arbitrary code by adding children to a WBR tag and then removing the tag, related to text nodes, as demonstrated by Chaouki Bekrar during a Pwn2Own competition at CanSecWest 2011.

Impact

CVSS Severity (version 2.0):

CVSS v2 Base Score:6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 8.6

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Medium

Authentication: Not required to exploit

Impact Type:Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: XF

Name: safari-webkit-unspec-code-exec(66061)

Hyperlink:http://xforce.iss.net/xforce/xfdb/66061

External Source: MISC

Name: http://www.zerodayinitiative.com/advisories/ZDI-11-135

Hyperlink:http://www.zerodayinitiative.com/advisories/ZDI-11-135

External Source: MISC

Name: http://www.zdnet.com/blog/security/safarimacbook-first-to-fall-at-pwn2own-2011/8358

Hyperlink:http://www.zdnet.com/blog/security/safarimacbook-first-to-fall-at-pwn2own-2011/8358

External Source: VUPEN

Name: ADV-2011-0984

Hyperlink:http://www.vupen.com/english/advisories/2011/0984

External Source: SECTRACK

Name: 1025363

Hyperlink:http://www.securitytracker.com/id?1025363

External Source: BID

Name: 46822

Hyperlink:http://www.securityfocus.com/bid/46822

External Source: BUGTRAQ

Name: 20110415 VUPEN Security Research - Apple Safari Text Nodes Remote Use-after-free Vulnerability (CVE-2011-1344)

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/517517/100/0/threaded

External Source: BUGTRAQ

Name: 20110414 ZDI-11-135: (Pwn2Own) WebKit WBR Tag Removal Remote Code Execution Vulnerability

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/517505/100/0/threaded

External Source: MISC

Name: http://www.computerworld.com/s/article/9214002/Safari_IE_hacked_first_at_Pwn2Own

Hyperlink:http://www.computerworld.com/s/article/9214002/Safari_IE_hacked_first_at_Pwn2Own

External Source: MISC

Name: http://twitter.com/aaronportnoy/statuses/45632544967901187

Hyperlink:http://twitter.com/aaronportnoy/statuses/45632544967901187

External Source: CONFIRM

Name: http://support.apple.com/kb/HT4607

Hyperlink:http://support.apple.com/kb/HT4607

External Source: CONFIRM

Name: http://support.apple.com/kb/HT4596

Hyperlink:http://support.apple.com/kb/HT4596

External Source: SECUNIA

Name: 44154

Hyperlink:http://secunia.com/advisories/44154

External Source: SECUNIA

Name: 44151

Hyperlink:http://secunia.com/advisories/44151

External Source: APPLE

Name: APPLE-SA-2011-04-14-3

Hyperlink:http://lists.apple.com/archives/security-announce/2011//Apr/msg00002.html

External Source: APPLE

Name: APPLE-SA-2011-04-14-2

Hyperlink:http://lists.apple.com/archives/security-announce/2011//Apr/msg00001.html

External Source: APPLE

Name: APPLE-SA-2011-04-14-1

Hyperlink:http://lists.apple.com/archives/security-announce/2011//Apr/msg00000.html

External Source: MISC

Name: http://dvlabs.tippingpoint.com/blog/2011/02/02/pwn2own-2011

Hyperlink:http://dvlabs.tippingpoint.com/blog/2011/02/02/pwn2own-2011

Vulnerable software and versions

Configuration 1

* cpe:/a:apple:safari:5.0.4 and previous versions

* cpe:/a:apple:safari:5.0.2

* cpe:/a:apple:safari:5.0.1

* cpe:/a:apple:safari:5.0

* cpe:/a:apple:safari:4.1.1

* cpe:/a:apple:safari:4.0.5

* cpe:/a:apple:safari:4.1.2

* cpe:/a:apple:safari:4.0.0b

* cpe:/a:apple:safari:4.0.2

* cpe:/a:apple:safari:4.0.1

* cpe:/a:apple:safari:4.0

* cpe:/a:apple:safari:4.0.4

* cpe:/a:apple:safari:4.0.3

* cpe:/a:apple:safari:4.1

* cpe:/a:apple:safari:4.0:beta

* cpe:/a:apple:safari:3.2.2

* cpe:/a:apple:safari:3.2.1

* cpe:/a:apple:safari:3.2.0

* cpe:/a:apple:safari:3.1.2

* cpe:/a:apple:safari:3.1.1

* cpe:/a:apple:safari:3.1.0b

* cpe:/a:apple:safari:3.1.0

* cpe:/a:apple:safari:3.0.4b

* cpe:/a:apple:safari:3.0.4

* cpe:/a:apple:safari:3.0.3b

* cpe:/a:apple:safari:3.0.3

* cpe:/a:apple:safari:3.0.2b

* cpe:/a:apple:safari:3.0.2

* cpe:/a:apple:safari:3.0.1b

* cpe:/a:apple:safari:3.0.1

* cpe:/a:apple:safari:3.0.0b

* cpe:/a:apple:safari:3.0.0

* cpe:/a:apple:safari:3.0

* cpe:/a:apple:safari:3

* cpe:/a:apple:safari:2.0.4

* cpe:/a:apple:safari:2.0.3:417.9.3

* cpe:/a:apple:safari:2.0.3:417.9.2

* cpe:/a:apple:safari:2.0.3:417.9

* cpe:/a:apple:safari:2.0.3:417.8

* cpe:/a:apple:safari:2.0.3

* cpe:/a:apple:safari:2.0.2

* cpe:/a:apple:safari:2.0.1

* cpe:/a:apple:safari:2.0.0

* cpe:/a:apple:safari:2.0

* cpe:/a:apple:safari:2

* cpe:/a:apple:safari:1.0.0

* cpe:/a:apple:safari:1.0.3

* cpe:/a:apple:safari:1.3.0

* cpe:/a:apple:safari:1.2.0

* cpe:/a:apple:safari:1.1.0

* cpe:/a:apple:safari:1.0.2

* cpe:/a:apple:safari:1.0.1

* cpe:/a:apple:safari:1.0.0b2

* cpe:/a:apple:safari:1.3.2

* cpe:/a:apple:safari:1.0.0b1

* cpe:/a:apple:safari:1.2

* cpe:/a:apple:safari:1.2.1

* cpe:/a:apple:safari:1.2.2

* cpe:/a:apple:safari:1.2.3

* cpe:/a:apple:safari:1.2.4

* cpe:/a:apple:safari:1.2.5

* cpe:/a:apple:safari:1.3

* cpe:/a:apple:safari:1.3.1

* cpe:/a:apple:safari:1.1

* cpe:/a:apple:safari:1.0:beta2

* cpe:/a:apple:safari:1.0:beta

* cpe:/a:apple:safari:1.0

* cpe:/a:apple:safari:1.0.3:85.8

* cpe:/a:apple:safari:1.0.3:85.8.1

* cpe:/a:apple:safari:1.1.1

* cpe:/a:apple:safari:1.3.2:312.5

* cpe:/a:apple:safari:1.3.2:312.6

Configuration 2

AND

* cpe:/o:apple:iphone_os:4.3.1 and previous versions

* cpe:/o:apple:iphone_os:4.3.0

* cpe:/o:apple:iphone_os:4.2.8

* cpe:/o:apple:iphone_os:4.2.5

* cpe:/o:apple:iphone_os:4.2.1

* cpe:/o:apple:iphone_os:4.2

* cpe:/o:apple:iphone_os:4.1

* cpe:/o:apple:iphone_os:4.0.2

* cpe:/o:apple:iphone_os:4.0.1

* cpe:/o:apple:iphone_os:4.0

* cpe:/o:apple:iphone_os:3.2.1

* cpe:/o:apple:iphone_os:3.2

* cpe:/o:apple:iphone_os:3.1.3

* cpe:/o:apple:iphone_os:3.1.2

* cpe:/o:apple:iphone_os:3.1

* cpe:/o:apple:iphone_os:3.0.1

* cpe:/o:apple:iphone_os:3.0

* cpe:/o:apple:iphone_os:2.2.1

* cpe:/o:apple:iphone_os:2.2

* cpe:/o:apple:iphone_os:2.1.1

* cpe:/o:apple:iphone_os:2.1

* cpe:/o:apple:iphone_os:2.0.2

* cpe:/o:apple:iphone_os:2.0.1

* cpe:/o:apple:iphone_os:2.0.0

* cpe:/o:apple:iphone_os:2.0

* cpe:/o:apple:iphone_os:1.1.5

* cpe:/o:apple:iphone_os:1.1.4

* cpe:/o:apple:iphone_os:1.1.3

* cpe:/o:apple:iphone_os:1.1.2

* cpe:/o:apple:iphone_os:1.1.1

* cpe:/o:apple:iphone_os:1.1.0

* cpe:/o:apple:iphone_os:1.0.2

* cpe:/o:apple:iphone_os:1.0.1

* cpe:/o:apple:iphone_os:1.0.0

cpe:/h:apple:iphone

cpe:/h:apple:ipad

cpe:/h:apple:ipod_touch

Configuration 3

AND

* cpe:/o:apple:iphone_os:4.2.5 and previous versions

* cpe:/o:apple:iphone_os:4.2.1

* cpe:/o:apple:iphone_os:4.2

* cpe:/o:apple:iphone_os:4.1

* cpe:/o:apple:iphone_os:4.0.2

* cpe:/o:apple:iphone_os:4.0.1

* cpe:/o:apple:iphone_os:4.0

* cpe:/o:apple:iphone_os:3.2.2

* cpe:/o:apple:iphone_os:3.2.1

* cpe:/o:apple:iphone_os:3.2

* cpe:/o:apple:iphone_os:3.1.3

* cpe:/o:apple:iphone_os:3.1.2

* cpe:/o:apple:iphone_os:3.1

* cpe:/o:apple:iphone_os:3.0.1

* cpe:/o:apple:iphone_os:3.0

* cpe:/o:apple:iphone_os:2.2.1

* cpe:/o:apple:iphone_os:2.2

* cpe:/o:apple:iphone_os:2.1.1

* cpe:/o:apple:iphone_os:2.1

* cpe:/o:apple:iphone_os:2.0.2

* cpe:/o:apple:iphone_os:2.0.1

* cpe:/o:apple:iphone_os:2.0.0

* cpe:/o:apple:iphone_os:2.0

* cpe:/o:apple:iphone_os:1.1.5

* cpe:/o:apple:iphone_os:1.1.4

* cpe:/o:apple:iphone_os:1.1.3

* cpe:/o:apple:iphone_os:1.1.2

* cpe:/o:apple:iphone_os:1.1.1

* cpe:/o:apple:iphone_os:1.1.0

* cpe:/o:apple:iphone_os:1.0.2

* cpe:/o:apple:iphone_os:1.0.1

* cpe:/o:apple:iphone_os:1.0.0

cpe:/h:apple:iphone:4

* Denotes Vulnerable Software

Technical Details

Vulnerability Type (View All)

Resource Management Errors (CWE-399)

CVE Standard Vulnerability Entry:http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1344