Issue 3990: Chrome Infinite array Tab DoS http://code.google.com/p/chromium/issues/detail?id=3990
New issue report by lostmon: ################################################## Multiple Browsers Stack overflow in javascript with infinite array original article:http://lostmon.blogspot.com/ 2008/11/multiple-browsers-stack-overflow-in.html ################################################## ############ Description ############ Multiple Browsers are prone vulnerables to a stack overflow or crash via infinite array in Javascript engine. This is a extended research from this vulnerability/exploit : http://www.securityfocus.com/bid/31703 This issue can use for example in a web post vulnerable to xss Style attacks or similar to do a DoS from web to Web browsers victim´s. ################ Browsers Tested: ################ Fail = affected pass = Not affected ¿? ##################### Testing ##################### .:[-Multiple Browsers infnite array PoC By Lostmon -]:. Here You have two variants of this array sav this file: ##################################### <html> <head> <title>.:[-Multiple Browsers infnite array PoC By Lostmon -]:.</title> <script type="text/javascript"> function infinite_array() { foo = new Array(); alert('infinite array'); while(true) {foo = new Array(foo);} } function infinite_array2() { foo = new Array(); alert('Infinite array with sort()'); while(true) {foo = new Array(foo).sort();} } </script> </head> <body> <h3>.:[-Multiple Browsers infnite array PoC By Lostmon -]:.</h3> <input type="button" value="Infinite array Without sort()" onclick="infinite_array();" /> <input type="button" value="Infinite array with sort()" onclick="infinite_array2();" /> </body></html> #################################### see table image : http://usuarios.lycos.es/reyfuss/xss/images/tabla.GIF ############### Stack Overflow ############### IE7 , Avant Browser and Maxthor browsers this cause a stack overflow in javascript. In ie7 i try to trace and exploit it with olly debugger , but all cases what i test to turn it executable , are all time go to SEH. This is not exploitable , and the browsers wen click in the alert can continue working without problems; them this is a recoverable issue.Microsoft security team has determine that this issue at this moment is not exploitable. In Google Chrome can cause a tab Crash or if we only have open one window and one tab, open the exploit, and don´t wait, try to navigate to google or other site causes that google Chrome close without warning , error, or alert, if we have open multiple tabs, this issue only crash/close the tab affected by the exploit. If open the exploit and wait few seconds Chrome show a warning to close the crashed tab. ################ Memory abuse ################ In ie7 can cause a memory abuse and can turn unestable all system and all aplications.(it can load all memory) In safari for windows can cause a program termination, safari closes all windows, all tabs without a alert or a warning or error.With olly , can trace , and it´s too a stack overflow. In Google Chrome can cause a tab Crash or if we only have open one window and one tab, open the exploit, and don´t wait, try to navigate to google or other site causes that google Chrome close without warning , error, or alert if open the exploit and wait few seconds Chrome show a warning to close the crashed tab. Some other browsers detects the slow scripts and ask for stop. In opera , it abuse memory , but we can recover it or navigate to other sites them this is a recoverable issue. #######################€nd##################### Thnx to Microsoft security team for support & interesting. Thnx to Apple security team for support & interesting. -- Thnx to estrella to be my ligth Thnx To FalconDeOro for his support Thnx To Imydes From http://www.imydes.com -- atentamente: Lostmon ([EMAIL PROTECTED]) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente.... Attachments: PoC_array_Chrome_tab_dos.html 370 bytes Issue attributes: Status: Unconfirmed Owner: [EMAIL PROTECTED] Labels: Type-Bug Pri-2 OS-All Area-Misc -- You received this message because you are listed in the owner or CC fields of this issue, or because you starred this issue. You may adjust your issue notification preferences at: http://code.google.com/hosting/settings --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Chromium-bugs" group. To post to this group, send email to chromium-bugs@googlegroups.com To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/chromium-bugs?hl=en -~----------~----~----~----~------~----~------~--~---
