CVE-2010-1939
published 2010-05-13CVE-2010-1939: Use-after-free vulnerability in Apple Safari 4.0.5 on Windows allows remote attackers to execute arbitrary code by using window.open to create a popup window…
PriorityP349high7.6CVSS 2.0
AVNACHAuNCCICAC
EXPLOIT
EPSS
14.71%
96.2th percentile
Use-after-free vulnerability in Apple Safari 4.0.5 on Windows allows remote attackers to execute arbitrary code by using window.open to create a popup window for a crafted HTML document, and then calling the parent window's close method, which triggers improper handling of a deleted window object.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| apple | safari | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
0x09090101
- →Exploit chain involves a specific multi-file HTML sequence: START.htm loads iff.htm, which loads if1.htm, which loads 0day.html. Detection of this file chain on disk or in web traffic is a strong indicator of exploitation. ↗
- →Exploit triggers via window.open() to create a popup followed by parent.close() call. Monitor JavaScript in web content for this pattern targeting Safari on Windows. ↗
- →JIT-spray technique is used to bypass ASLR and DEP; the JIT-sprayed shellcode is called via ESI register at address 0x09090101. Memory forensics or crash dumps showing CALL ESI at this address indicate exploitation. ↗
- →Remote exploitation requires popups to be enabled in Safari (Ctrl+Shift+K). Alerting on Safari popup permission changes or popup-enabled browsing sessions may help scope exposure. ↗
- →Talos/VRT released Snort rules on June 14, 2010 specifically covering CVE-2010-1939 Apple Safari RCE. Ensure those rule sets are applied. ↗
- ·Exploitation is limited to Apple Safari 4.0.5 on Windows. Other platforms or Safari versions are not confirmed affected. ↗
- ·Remote exploitation requires the victim's browser to have popups enabled; without popup permission the attack vector is reduced to local. ↗
- ·The exploit was tested specifically on XP SP2 Polish; behavior on other Windows versions or service packs may differ. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Apple Safari 4.0.5 - 'parent.close()' Memory Corruption (ASLR + DEP Bypass)
exploitdb·2010-05-15
CVE-2010-1939 Apple Safari 4.0.5 - 'parent.close()' Memory Corruption (ASLR + DEP Bypass)
Apple Safari 4.0.5 - 'parent.close()' Memory Corruption (ASLR + DEP Bypass)
---
Download:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/12614.zip (safari_parent_close_sintsov.zip)
Unzip and run START.htm
This exploit use JIT-SPRAY for DEP and ASLR bypass.
jit-shellcode: system("notepad")
0day.html - use 0x09090101 address for CALL JITed shellcode.
START.htm -> iff.htm -> if1.htm -> 0day.html
| |
| |
JIT-SPRAY parent.close();
0x09090101 - JITed * ESI=0x09090101
shellcode * CALL ESI
By Alexey Sintsov
from
Digital Security Research Group
[www.dsecrg.com]
Exploit-DB
Apple Safari 4.0.5 - 'parent.close()' Memory Corruption Code Execution
exploitdb·2010-05-11
CVE-2010-1939 Apple Safari 4.0.5 - 'parent.close()' Memory Corruption Code Execution
Apple Safari 4.0.5 - 'parent.close()' Memory Corruption Code Execution
---
Tested on: Apple Safari 4.0.5 / XP SP2 Polish
Shellcode: Windows Execute Command (calc)
Local: Yes
Remote: Yes (POPUP must be enabled [Ctrl+Shift+K])
Just for fun ;)
-->
window.open("0day.htm"); //parent.close() activation
self.close();
-----------------------------------REMOTE.htm-------------------------------->
Alt + F4 :)
function make_buf(payload, len) {
while(payload.length
Talos
Rule Release for Today - June 14th, 2010
blogs_talos·2010-06-14·CVSS 10.0
CVE-2010-1939 [CRITICAL] Rule Release for Today - June 14th, 2010
# Rule Release for Today - June 14th, 2010
By
Nigel Houghton
Monday, June 14, 2010 15:20
Apple Safari RCE (CVE-2010-1939), Google Chrome GLUG bypass (CVE-2010-1663). Details available here: http://www.snort.org/vrt/advisories/2010/06/14/vrt-rules-2010-06-14.html/
##### Share this post
Talos
Rule Release for Today - June 14th, 2010
blogs_talos·2010-06-14·CVSS 10.0
CVE-2010-1939 [CRITICAL] Rule Release for Today - June 14th, 2010
## Rule Release for Today - June 14th, 2010
Apple Safari RCE (CVE-2010-1939), Google Chrome GLUG bypass (CVE-2010-1663). Details available here: http://www.snort.org/vrt/advisories/2010/06/14/vrt-rules-2010-06-14.html/
http://h07.w.interia.pl/Safari.rarhttp://reviews.cnet.com/8301-13727_7-20004709-263.htmlhttp://secunia.com/advisories/39670http://securitytracker.com/id?1023958http://www.kb.cert.org/vuls/id/943165http://www.osvdb.org/64482http://www.securityfocus.com/bid/39990http://www.vupen.com/english/advisories/2010/1097https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6748http://h07.w.interia.pl/Safari.rarhttp://reviews.cnet.com/8301-13727_7-20004709-263.htmlhttp://secunia.com/advisories/39670http://securitytracker.com/id?1023958http://www.kb.cert.org/vuls/id/943165http://www.osvdb.org/64482http://www.securityfocus.com/bid/39990http://www.vupen.com/english/advisories/2010/1097https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6748
2010-05-13
Published