Opera Web Browser Large JavaScript Array Handling Vulnerability
BID:9869
Info
Opera Web Browser Large JavaScript Array Handling Vulnerability
| Bugtraq ID: | 9869 |
| Class: | Failure to Handle Exceptional Conditions |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | Mar 15 2004 12:00AM |
| Updated: | Mar 15 2004 12:00AM |
| Credit: | This issue was discovered by d3thStaR <[email protected]>. |
| Vulnerable: |
Opera Software Opera Web Browser 7.23 Opera Software Opera Web Browser 7.22 |
| Not Vulnerable: | |
Discussion
Opera Web Browser Large JavaScript Array Handling Vulnerability
Opera Web Browser is prone to an issue when handling large JavaScript arrays.
In particular, it is possible to crash the browser when performing various operations on Array objects with 99999999999999999999999 or 0x23000000 elements.
The crash is due to a segmentation fault and may be indicative of an exploitable memory corruption vulnerability, possibly resulting in arbitrary code execution, though this has not been confirmed.
Opera Web Browser is prone to an issue when handling large JavaScript arrays.
In particular, it is possible to crash the browser when performing various operations on Array objects with 99999999999999999999999 or 0x23000000 elements.
The crash is due to a segmentation fault and may be indicative of an exploitable memory corruption vulnerability, possibly resulting in arbitrary code execution, though this has not been confirmed.
Exploit / POC
Opera Web Browser Large JavaScript Array Handling Vulnerability
The following examples were provided:
var a = new Array(99999999999999999999999);
a[0+5]="AAAAA";
and:
var bam = new Array(0x23000000);
bam.sort(new Function("return 1"));
The following examples were provided:
var a = new Array(99999999999999999999999);
a[0+5]="AAAAA";
and:
var bam = new Array(0x23000000);
bam.sort(new Function("return 1"));
Solution / Fix
Opera Web Browser Large JavaScript Array Handling Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
Opera Web Browser Large JavaScript Array Handling Vulnerability
References:
References:
- Opera Web Browser Home Page (Opera Software)
- Opera Array Allocation Managment Exploit (d3thStaR