cbcvebase.
CVE-2014-1303
published 2014-03-26

CVE-2014-1303: Heap-based buffer overflow in Apple Safari 7.0.2 allows remote attackers to execute arbitrary code and bypass a sandbox protection mechanism via unspecified…

PriorityP266critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
34.78%
98.2th percentile
Heap-based buffer overflow in Apple Safari 7.0.2 allows remote attackers to execute arbitrary code and bypass a sandbox protection mechanism via unspecified vectors, as demonstrated by Liang Chen during a Pwn2Own competition at CanSecWest 2014.

Affected

1 ranges
VendorProductVersion rangeFixed in
applesafari

Detection & IOCsextracted from sources · hover to see the quote

filenameexploit.html
filenamescripts/roputil.js
filenamescripts/syscall.js
filenamescripts/code.js
  • Exploit is delivered via a malicious HTML page (exploit.html) served from a web server; monitor for WebKit-based browsers (Safari 7.0.2, WebKitGTK 2.1.2, PS4 firmware < 2.50) fetching exploit.html alongside ROP-chain JavaScript files (roputil.js, syscall.js, code.js) from the same origin.
  • PS4 exploit variant uses a fake DNS server (fakedns.py) to redirect the console's User's Guide page to an attacker-controlled server; detect anomalous DNS responses redirecting known Sony/PS4 hostnames to non-Sony IPs.
  • Exploitation triggers a heap-based buffer overflow leading to ROP chain execution; on Linux/WebKitGTK a crash or controlled jump to an invalid address (0xdeadbeefdeadbeef) in the browser process is a strong indicator of exploitation attempt.
  • Post-exploitation capability includes loading and executing a remote payload ('Code Execution - Load and execute payload from outer network') and dumping the filesystem ('/dev' entries); monitor WebKit browser processes for unexpected outbound connections or filesystem enumeration.
  • The PS4 exploit is triggered by navigating to the User's Guide page on the PS4; the RSP register is pivoted as part of the ROP chain. Monitor for PS4 consoles on firmware < 2.50 making unexpected DNS lookups or HTTP requests to non-Sony infrastructure.
  • ·The PS4 PoC has been confirmed to work on firmware 2.03; the ROP test is only validated on 2.03, though the heap overflow itself should be triggerable on any firmware < 2.50.
  • ·Red Hat will not fix this issue in webkitgtk (RHEL 6) or webkitgtk3 (RHEL 7); systems running these packages remain permanently exposed.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.