Re: Firefox bugs

[Thor Larholm <thor () polypath com>]

The PoC from the slide and the full PoC is attached to 
https://bugzilla.mozilla.org/show_bug.cgi?id=355069.

Spiegelmock and Wbeelsoi talked about threads and lack of mutexes, but 
as Brendan points out this is cargo-cult knowledge about JS. There's 
definitely the potential for vulnerabilities in the Mozilla JS engine, 
mainly because it violates run-to-completion. This has the potential to 
screw with op-codes in the VM when reentrant timers do not defer when a 
modal dialog is running.

I originally posted about the presentation at 
http://blogs.securiteam.com/index.php/archives/657 where I highlighted 
the last few security-related changes (including one in native 
iterators), but these were only related by extension since reentrant 
exploits can circument the context checks. Chrome: is not buggy per se, 
it's just inherently prone to context switches since there's only one 
running instance of each parser (html, js, etc) in the same process for 
both secure and insecure content.

Spiegelmock is definitely backpedalling with his updated statement, but 
then again, it's hard to tell from the video presentation how much is 
truth and how much is fiction (should I upload it somewhere?). They're 
both hanging out on irc.bantown.com/#bantown (immunitysec.hub).

Thor


Dave Aitel wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Didn't you post on your weblog some stuff about Chrome: being buggy?
> It's completely believable to have a chrome: context issue in Firefox.
> I recall you said something about iterators, but I don't have a
> Mozilla developer account so I can't look at the diff.
>
> Are the slides/full PoC available publicly?
> - -dave
>
> Thor Larholm wrote:
>  
>
> > Their PoC, both the one in their slides and the full PoC, is
> > nothing more than an out-of-memory crash, of which Firefox already
> > has plenty. They were still struggling to write a working exploit
> > days after the presentation, even though they claimed to have just
> > that during the presentation.
> >
> > Long story short, the bug is just a bug - not a vulnerability.
> >
> >
> > Regards Thor Larholm
> >
> >
> > Dave Aitel wrote:
> >
> > For those of you under a rock, there's a new firefox bug:
> > http://developer.mozilla.org/devnews/
> >
> > I read somewhere that the PoC was posted to the web, but I can't
> > find it anywhere.
> >
> > For those of you who watched the HP testemony on cspan.org, you may
> > have noticed that ReadNotify was used in a prior DD posting. DD
> > goes out to maybe 2500 people last time I checked...and I got under
> > a hundred readnotify responses. This corresponds with my last use
> > of web bugs against someone trying to blackmail one of my clients.
> > It just didn't work. This was the one big tool in the FBI/NYPD's
> > toolbox, and it's been broken during the fight against spammers. We
> > had to do a statistical analysis of all the web page accesses to
> > get close.
> >
> > Anyways, our congresscritters think that SPYWARE==WEB BUG. And it's
> > not true. Someone needs to call them and explain it slowly.
> >
> > -dave
> >    
> _______________________________________________
> Dailydave mailing list
> Dailydave () lists immunitysec com
> http://lists.immunitysec.com/mailman/listinfo/dailydave
>
>  
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.1 (Cygwin)
>
> iD8DBQFFIphktehAhL0gheoRAnmaAJ9GrDismomXZ2IGvrhZ3mHSNuAbuACffNDP
> Pun6oHU9M1csKuJwcJs2EAM=
> =fVut
> -----END PGP SIGNATURE-----
>
>  

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave