Safari 4.0.3 CSS DoS Exploit Explained

Safari 4.0.3 CSS DoS Exploit Explained
What this paper is
This paper details a Denial of Service (DoS) vulnerability in Apple Safari version 4.0.3 running on Windows. The exploit leverages a flaw in how Safari handles Cascading Style Sheets (CSS) when rendering specific HTML elements, leading to a crash of the browser process.
Simple technical breakdown
The exploit works by creating an HTML page with a specific CSS style applied to an image element within a paragraph. When Safari attempts to render this malformed CSS, it encounters an issue that causes it to consume excessive resources or enter an invalid state, ultimately leading to the browser crashing. The core of the issue lies in the interaction between the position: absolute; style applied to an <img> tag nested within a <p> tag, combined with the display: inline-block; on a parent element.
Complete code and payload walkthrough
The provided exploit is a simple HTML file. There is no complex shellcode or multi-stage payload in this specific exploit. The "payload" is the HTML and CSS structure itself, designed to trigger the vulnerability.
<html dir="rtl">
<body>
<style type="text/css">
.crash {
position:relative;
padding: 4px 6px;
display:inline-block;
}
.crash img {
position:absolute;
}
</style>
<div class="crash">
<P><img></p> you can replace <p> tags with any other tags, but you
shouldnt change <img> tag
</div>
</body>
</html>Let's break down the meaningful parts:
<html dir="rtl">: This is the standard HTML document declaration. Thedir="rtl"attribute specifies the text direction as right-to-left, which is common for languages like Arabic or Hebrew. While present, it's not directly related to the exploit mechanism itself but is part of the HTML structure.<body>: This tag encloses the visible content of the HTML document.<style type="text/css"> ... </style>: This block defines CSS rules that will be applied to the HTML elements..crash { ... }: This defines a CSS class namedcrash.position:relative;: This makes the element a positioning context for absolutely positioned children.padding: 4px 6px;: Adds some spacing around the content.display:inline-block;: This is a crucial property. It allows the element to behave like an inline element (fitting into the text flow) but also allows setting width, height, and margins like a block element.
.crash img { ... }: This defines CSS rules specifically for<img>elements that are descendants of an element with the classcrash.position:absolute;: This is another critical property. It takes the image out of the normal document flow and positions it relative to its nearest positioned ancestor (which, in this case, is the.crashdiv due toposition:relative).
<div class="crash"> ... </div>: This is a division element that is assigned the CSS classcrash. This means the CSS rules defined for.crashwill apply to thisdiv.<P><img></p>: This is the core of the vulnerability trigger.<P>: A paragraph tag.<img>: An image tag. Importantly, this<img>tag has nosrcattribute, meaning it's an empty or broken image reference.</p>: The closing paragraph tag.
you can replace <p> tags with any other tags, but you shouldn't change <img> tag: This is a comment within the HTML, indicating that the<p>tags are somewhat flexible, but the<img>tag is essential for the exploit.
Mapping list:
position:relative;on.crash: Establishes a positioning context for the absolutely positioned image.display:inline-block;on.crash: Allows thedivto flow with text while accepting positioning.position:absolute;on.crash img: Takes the image out of flow and positions it relative to the.crashdiv.- Empty
<img>tag within<P>: The malformed or missing image source, combined with the absolute positioning and parent styling, is what triggers the rendering bug.
Execution Flow:
- The browser encounters the HTML.
- It parses the CSS and applies the
.crashclass to thediv. - It then encounters the
<P><img></p>structure. - The
.crash imgCSS rule is applied to the<img>tag. - The browser attempts to render the
<img>tag, which is absolutely positioned within a relatively positioned container, and has no source. - This specific combination of CSS properties and the empty image tag causes a rendering error in Safari 4.0.3, leading to a crash.
There is no shellcode or executable payload in this exploit. The "exploit" is the crafted HTML/CSS that causes the browser to fail.
Practical details for offensive operations teams
- Required Access Level: Low. This is a client-side exploit. An attacker would need to trick a user into visiting a malicious web page or opening a malicious HTML file. No elevated privileges on the target system are required beyond what a standard user has.
- Lab Preconditions:
- A target machine with Apple Safari 4.0.3 (Windows x86) installed.
- A web server to host the exploit HTML file, or the ability to deliver the HTML file directly to the user (e.g., via email attachment).
- Network connectivity for the target to access the hosted exploit.
- Tooling Assumptions:
- A basic web server (e.g., Python's
SimpleHTTPServer, Apache, Nginx) to serve the HTML file. - A text editor to create and modify the HTML exploit file.
- A basic web server (e.g., Python's
- Execution Pitfalls:
- Version Specificity: This exploit is highly specific to Safari 4.0.3. Any other version, especially newer ones, will likely not be vulnerable.
- Browser Configuration: While unlikely to prevent a crash, some browser security settings or extensions could theoretically interfere, though for a DoS, this is less of a concern than for remote code execution.
- User Interaction: The user must be convinced to visit the malicious URL or open the file. Phishing or social engineering is a prerequisite.
- Detection: While the exploit itself doesn't generate significant network traffic beyond fetching the HTML, the act of delivering it (e.g., via a phishing email) might be detected. The HTML file itself is benign until rendered by the vulnerable browser.
- Tradecraft Considerations:
- Delivery: The most common delivery method would be via a phishing email with a link to the exploit hosted on a compromised or attacker-controlled website.
- Obfuscation: For a DoS, extensive obfuscation of the HTML is usually not necessary, as the goal is simply to trigger the crash. However, embedding the HTML within other content or using data URIs could be considered for stealthier delivery if the initial HTML file itself is flagged.
- Payload Hosting: A temporary, low-profile web server would suffice. The exploit is small and requires no complex infrastructure.
Where this was used and when
- Context: This exploit targets a specific version of a web browser. Its primary use case would be in scenarios where an attacker wants to disrupt a user's browsing session or prevent them from accessing a specific website by crashing their browser. This could be part of a broader attack chain, or a simple act of disruption.
- Timeframe: The exploit was published in April 2010. Therefore, its practical use would have been against users running Apple Safari 4.0.3 on Windows around that time. It is highly unlikely to be effective against modern systems and browsers.
Defensive lessons for modern teams
- Patch Management: The most critical lesson is the importance of timely patching. Vulnerabilities, even in seemingly minor components like CSS rendering, can lead to significant disruptions. Keeping browsers and all software up-to-date is paramount.
- Browser Sandboxing: Modern browsers employ robust sandboxing techniques. Even if a rendering bug were to occur, it would ideally be contained within the sandbox, preventing a full process crash or further system compromise.
- Web Application Firewalls (WAFs): While this exploit is client-side, WAFs can sometimes detect and block malicious HTML/CSS patterns if they are known signatures. However, for simple DoS vectors like this, detection might be challenging without specific rules.
- Endpoint Detection and Response (EDR): EDR solutions can monitor process behavior. A sudden crash of a browser process, especially if it's not a common occurrence, could be flagged by EDR, prompting investigation.
- User Awareness Training: Educating users about the dangers of clicking on suspicious links or opening unknown files remains a fundamental defense against client-side exploits.
ASCII visual (if applicable)
This exploit is a direct HTML/CSS rendering issue. A visual representation of the code's structure is more appropriate than a network or system flow diagram.
+---------------------+
| HTML Page |
+---------------------+
| <style> |
| .crash { |
| position:relative;|
| display:inline-block;|
| } |
| .crash img { |
| position:absolute;|
| } |
| </style> |
| |
| <div class="crash"> |
| <P><img></p> |
| </div> |
+---------------------+
|
| (Browser Rendering Engine)
V
+---------------------+
| Safari 4.0.3 (Win) |
| |
| - Parses HTML/CSS |
| - Applies styles |
| - Encounters bug |
| with absolute img |
| in relative div |
| - CRASH |
+---------------------+Source references
- PAPER ID: 12457
- PAPER TITLE: Apple Safari 4.0.3 (Windows x86) - 'CSS' Remote Denial of Service (2)
- AUTHOR: ITSecTeam
- PUBLISHED: 2010-04-29
- PAPER URL: https://www.exploit-db.com/papers/12457
- RAW URL: https://www.exploit-db.com/raw/12457
Original Exploit-DB Content (Verbatim)
===============================================================
Apple Safari 4.0.3 (Win32) CSS Remote Denial Of Service Exploit
===============================================================
################## In The Name Of Allah ########################
#Apple Safari 4.0.3 (Win32) CSS Remote Denial Of Service Exploit
#Tested on Safari 4.0.3.0 (4.531.9.1)
#vendor : http://www.apple.com/safari
#AUTHOR: ITSecTeam
#Email: Bug@ITSecTeam.com
#Website: http://www.itsecteam.com
#Forum : http://forum.ITSecTeam.com
#Original Advisory:
#http://www.itsecteam.com/en/vulnerabilities/vulnerability49.htm
#Special Thanks: b3hz4d,M3hr@n.s,Cdef3nder,PLATEN
################################################################
<html dir="rtl">
<body>
<style type="text/css">
.crash {
position:relative;
padding: 4px 6px;
display:inline-block;
}
.crash img {
position:absolute;
}
</style>
<div class="crash">
<P><img></p> you can replace <p> tags with any other tags, but you
shouldnt change <img> tag
</div>
</body>
</html>