##################################################
Multiple Browsers Stack overflow in javascript with infinite array
original article:http://lostmon.blogspot.com/
2008/11/multiple-browsers-stack-overflow-in.html
##################################################
############
Description
############

Multiple Browsers are prone vulnerables to a stack overflow
or crash via infinite array in Javascript engine.
This is a extended research from this vulnerability/exploit :
http://www.securityfocus.com/bid/31703

This issue can use for example in a web post vulnerable to xss
Style attacks or similar to do a DoS from web to Web browsers victimīs.

################
Browsers Tested:
################

Fail = affected
pass = Not affected ŋ?

#####################
Testing
#####################
.:[-Multiple Browsers infnite array PoC By Lostmon -]:.
Here You have two variants of this array sav this file:
#####################################
<html>
<head>
<title>.:[-Multiple Browsers infnite array PoC By Lostmon -]:.</title>
<script type="text/javascript">
function infinite_array()
{
foo = new Array();
alert('infinite array');
while(true) {foo = new Array(foo);}
}
function infinite_array2()
{
foo = new Array();
alert('Infinite array with sort()');
while(true) {foo = new Array(foo).sort();}
}
</script>
</head>
<body>
<h3>.:[-Multiple Browsers infnite array PoC By Lostmon -]:.</h3>
<input type="button" value="Infinite array Without sort()"
onclick="infinite_array();" />
<input type="button" value="Infinite array with sort()"
onclick="infinite_array2();" />
</body></html>
####################################

see table image :
http://usuarios.lycos.es/reyfuss/xss/images/tabla.GIF

###############
Stack Overflow
###############

IE7 , Avant Browser and Maxthor browsers this cause a stack
overflow in javascript.

In ie7 i try to trace and exploit it with olly debugger ,
but all cases what i test to turn it executable , are all
time go to SEH. This is not exploitable , and the browsers
wen click in the alert can continue working without problems;
them this is a recoverable issue.Microsoft security team has
determine that this issue at this moment is not exploitable.

In Google Chrome can cause a tab Crash or if we only have
open one window and one tab, open the exploit, and donīt wait,
try to navigate to google or other site causes that google
Chrome close without warning , error, or alert, if we have
open multiple tabs, this issue only crash/close the tab
affected by the exploit. If open the exploit and wait few
seconds Chrome show a warning to close the crashed tab.


################
Memory abuse
################

In ie7 can cause a memory abuse and can turn unestable all
system and all aplications.(it can load all memory)

In safari for windows can cause a program termination, safari
closes all windows, all tabs without a alert or a warning or
error.With olly , can trace , and itīs too a stack overflow.

In Google Chrome can cause a tab Crash or if we only have open
one window and one tab, open the exploit, and donīt wait, try
to navigate to google or other site causes that google Chrome
close without warning , error, or alert if open the exploit
and wait few seconds Chrome show a warning to close the
crashed tab.

Some other browsers detects the slow scripts and ask for stop.
In opera , it abuse memory , but we can recover it or navigate
to other sites them this is a recoverable issue.

#######################€nd#####################

Thnx to Microsoft security team for support & interesting.
Thnx to Apple security team for support & interesting.
--
Thnx to estrella to be my ligth
Thnx To FalconDeOro for his support
Thnx To Imydes From http://www.imydes.com

--
atentamente:
Lostmon (lostmon@gmail.com)

Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....

-- 
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....