| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: jhaunsystem at yahoo.com (jhaunsystem) Subject: Firefox 0.92 DoS via TinyBMP I tested it out on 2 platforms. On Mozilla 1.7 && win2k I get the same results as your description. However on Freebsd_4.10 && Mozilla 1.7, Mozilla just crashes with little or no tax on the system. > -----Original Message----- > From: full-disclosure-admin@...ts.netsys.com > [mailto:full-disclosure-admin@...ts.netsys.com] On > Behalf Of st3ng4h > Sent: Tuesday, July 13, 2004 2:23 AM > To: Ali Campbell > Cc: full-disclosure@...ts.netsys.com; > the_invincible@....de > Subject: Re: [Full-Disclosure] Firefox 0.92 DoS via > TinyBMP > > On Mon, Jul 12, 2004 at 10:12:40PM +0100, Ali > Campbell wrote: > > I agree when you say that it's probably a flaw in > the BMP lib > > implementation. But as I've pointed out once > already, Windows isn't > > the only afflicted platform: > [snip] > > You're correct, and I'm glad you did point this out, > because it may > potentially affect many such implementations. > > The April bugtraq advisory that I provided URL for > earlier (and again [1]) > says: > > "When a BMP file loaded into the Internet Explorer > (for exmaple 'IMG' tag) > the internet explorer check the BMP image size > written in BMP file, and then > allocate the necessary memory to itself for placing > bmp image into the > memory." > > Also see MSDN's explanation of bitmap file structure > [2] for more details. > > AFAICT, any program/library that allocates bfSize > (in > BITMAPFILEHEADER) bytes of memory, without verifying > that this resembles the > actual size of the bitmap file, will likely suffer > from this problem in some > form or another. > > Why this was not figured out in the original > advisory or this one is beyond > me; I have approximately zero experience as a > bug-hunter and am mostly > ignorant to Windows internals. > > What's more annoying is that the OP apparently just > ripped off the PoC from > the original (incorrect) IE advisory, did not credit > the finder, and > published it as a Firefox vulnerability. > > st3ng4h > > [1] http://www.securityfocus.com/archive/1/360166 > > [2] > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gdi/bitmaps > _62uq.asp > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.netsys.com/full-disclosure-charter.html > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > http://lists.netsys.com/full-disclosure-charter.html > __________________________________ Do you Yahoo!? Yahoo! Mail Address AutoComplete - You start. We finish. http://promotions.yahoo.com/new_mail
Powered by blists - more mailing lists