Re: regarding CVE-2008-4382 & CVE-2008-4381

[Nico Golde <oss-security+ml () ngolde de>]

Hi Steven,
* Steven M. Christey <coley () linus mitre org> [2008-10-03 22:15]:
> On Fri, 3 Oct 2008, Nico Golde wrote:
>
> > looking at the PoC this would work in every browser
> > supporting JavaScript as this is just a trivial memory
> > consumption issue by passing a very large string too the
> > alert function and thus eating memory, a simple
> > while(true){} would be equally effective for eating cpu
> > cycles which I wouldn't consider as a vulnerability
> > either...
>
> I usually wouldn't call it a vulnerability, either.  However, based on our
> analysis, the String.fromCharCode(550) creates a Unicode string for
> character 550, but the escape() for URL encoding can only cover 0 to 255,
> so it seemed like something else was going on here, maybe the alert
> function not working.
>
> I don't know how Javascript manages large strings, but it seems like
> somewhere around the "x4 += x4;" statement, you exceed multiple gigs.  So
> maybe the alert function isn't even being reached...

I tested this already using a lower loop count in the for 
loops and got similar behaviour and saw the alert box.

Cheers
Nico
-- 
Nico Golde - http://www.ngolde.de - nion () jabber ccc de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

Attachment: _bin
Description: