Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:23121
HistoryJan 26, 2010 - 12:00 a.m.

Safari 4.0.4 Crash

2010-01-2600:00:00
vulners.com
6
JSON

The following piece of javascript will crash Safari nicely when triggered using
one of the methods described below. With my limited knowledge I am unable to tell
if it's exploitable or not. I therefore turn it over to "the internet". (tested
on Safari 4.0.4, Win XP Pro SP3)

============================

<script>
var data = "A";
while(data.length<0x40000){
data += data;
}
data2 = new Array();
for (x=0; x<4000; x++){
data2[x] = data+data;
}
</script>

============================

The crash is not immediate, but there are actually two ways to trigger it and I
believe they are separate problems.

The following will cause Safari to crash with “Access violation reading
[00000000]”.

* Window-&gt;Activity

Whereas these will crash Safari with “Access violation writing to [BBADBEEF]”

* Develop-&gt;Start Debugging Javascript
* Develop-&gt;Show Error Console &#40;Unreliable&#41;
* Develop-&gt;Show Web Inspector &#40;Unreliable&#41;
* &#40;Right Click&#41;-&gt;Inspect Element

I can’t seem to affect any registers in an advantageous way but I do see several
pointers to \x41 blocks on the stack. At least you could put shellcode in these
and jump to them if you could control EIP. If anyone is able to do anything with
this, please let me know.

JSON