Full Disclosure mailing list archives
RE: Firefox 0.92 DoS via TinyBMP
From: jhaunsystem <jhaunsystem () yahoo com>
Date: Mon, 12 Jul 2004 22:09:21 -0700 (PDT)
I tested it out on 2 platforms. On Mozilla 1.7 && win2k I get the same results as your description. However on Freebsd_4.10 && Mozilla 1.7, Mozilla just crashes with little or no tax on the system.
-----Original Message----- From: full-disclosure-admin () lists netsys com [mailto:full-disclosure-admin () lists netsys com] On Behalf Of st3ng4h Sent: Tuesday, July 13, 2004 2:23 AM To: Ali Campbell Cc: full-disclosure () lists netsys com; the_invincible () gmx de Subject: Re: [Full-disclosure] Firefox 0.92 DoS via TinyBMP On Mon, Jul 12, 2004 at 10:12:40PM +0100, Ali Campbell wrote:I agree when you say that it's probably a flaw inthe BMP libimplementation. But as I've pointed out oncealready, Windows isn'tthe only afflicted platform:[snip] You're correct, and I'm glad you did point this out, because it may potentially affect many such implementations. The April bugtraq advisory that I provided URL for earlier (and again [1]) says: "When a BMP file loaded into the Internet Explorer (for exmaple 'IMG' tag) the internet explorer check the BMP image size written in BMP file, and then allocate the necessary memory to itself for placing bmp image into the memory." Also see MSDN's explanation of bitmap file structure [2] for more details. AFAICT, any program/library that allocates bfSize (in BITMAPFILEHEADER) bytes of memory, without verifying that this resembles the actual size of the bitmap file, will likely suffer from this problem in some form or another. Why this was not figured out in the original advisory or this one is beyond me; I have approximately zero experience as a bug-hunter and am mostly ignorant to Windows internals. What's more annoying is that the OP apparently just ripped off the PoC from the original (incorrect) IE advisory, did not credit the finder, and published it as a Firefox vulnerability. st3ng4h [1] http://www.securityfocus.com/archive/1/360166 [2]
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gdi/bitmaps
_62uq.asp _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
__________________________________ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: Firefox 0.92 DoS via TinyBMP, (continued)
- Re: Firefox 0.92 DoS via TinyBMP st3ng4h (Jul 12)
- Re: Firefox 0.92 DoS via TinyBMP William Warren (Jul 12)
- Re: Firefox 0.92 DoS via TinyBMP Ali Campbell (Jul 12)
- Re: Firefox 0.92 DoS via TinyBMP David Huecking (Jul 12)
- Re: Firefox 0.92 DoS via TinyBMP st3ng4h (Jul 12)
- Re: Firefox 0.92 DoS via TinyBMP Jordan Cole (stilist) (Jul 12)
- Re: Firefox 0.92 DoS via TinyBMP Maarten (Jul 12)
- Re: Firefox 0.92 DoS via TinyBMP Ali Campbell (Jul 12)
- Re: Firefox 0.92 DoS via TinyBMP st3ng4h (Jul 12)
- RE: Firefox 0.92 DoS via TinyBMP Sapheriel (Jul 12)
- RE: Firefox 0.92 DoS via TinyBMP jhaunsystem (Jul 12)
- RE: Firefox 0.92 DoS via TinyBMP Eric Paynter (Jul 13)
- Re: Firefox 0.92 DoS via TinyBMP st3ng4h (Jul 12)
- Re: Firefox 0.92 DoS via TinyBMP st3ng4h (Jul 12)
- Re: AW: Firefox 0.92 DoS via TinyBMP Lee Packham (Jul 12)
- Re: AW: Firefox 0.92 DoS via TinyBMP morning_wood (Jul 12)
- RE: Firefox 0.92 DoS via TinyBMP Sapheriel (Jul 12)