lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <37627.66.58.158.195.1055133633.squirrel@www.nothotmail.org>
Date: Sun, 8 Jun 2003 21:40:33 -0700 (PDT)
From: "meme-boi" <meme-boi@...hotmail.org>
To: <full-disclosure@...ts.netsys.com>, <bugtraq@...urityfocus.com>
Subject: Re: Cross-Platform Browser vulnerabilities - Critical


-Dan Veditz Mozilla security group member wrote :

>The exploit example you give is not remote command execution but rather a
>violation of the same origin policy.

First off, the example bug I demonstrated:

http://meme-boi.netfirms.com/werd.html

while true it doesn't show remote class loading , is not fixed in 1.4.

I haven't tested 1.3 but I assure you there are serious issues , and the
bug is different , but I'll let you figure that out.


-Dan Veditz  wrote :

>Unless there are additional details you are withholding this same flaw
>was >reported on Bugtraq April 15



Here is some select gdb output from an attached session while
viewing, and executing specially crafted *priva8* ( meaning no soup for you)
meme156 code from remote server:

<snip>

[New Thread 1106058544 (LWP 15390)]
[New Thread 1122508080 (LWP 15391)]
[New Thread 1131003184 (LWP 15392)]
[New Thread 1139535152 (LWP 15393)]
[New Thread 1147927856 (LWP 15394)]
[New Thread 1156320560 (LWP 15395)]
[Thread 1156320560 (LWP 15395) exited]
[Thread 1139535152 (LWP 15393) exited]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1077855392 (LWP 15388)]
0x4003b9dd in JS_CompileUCFunctionForPrincipals () from /usr/lib/libmozjs.so


(gdb) backtrace
#0  0x4003b9dd in JS_CompileUCFunctionForPrincipals ()
   from /usr/lib/libmozjs.so
#1  0x424bf3d6 in NSGetModule () from
/usr/local/mozilla/components/libjsdom.so#2  0x40d2b203 in NSGetModule ()
   from /usr/local/mozilla/components/libgklayout.so
#3  0x40b52252 in NSGetModule ()
   from /usr/local/mozilla/components/libgklayout.so
#4  0x40b52525 in NSGetModule ()


//noop begins here on Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4)

0xbfffe644:     0x00001000      0x00000011      0x00000064      0x00000003
0xbfffe654:     0x08048034      0x00000004      0x00000020      0x00000005
0xbfffe664:     0x00000006      0x00000007      0x40000000      0x00000008
---Type <return> to continue, or q <return> to quit---
0xbfffe674:     0x00000000      0x00000009      0x08056e20      0x0000000b
0xbfffe684:     0x000001f4      0x0000000c      0x000001f4      0x0000000d
0xbfffe694:     0x00000000      0x0000000e      0x00000000      0x0000000f
0xbfffe6a4:     0xbffffbb4      0x00000000      0x00000000      0x00000000
0xbfffe6b4:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffe6c4:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffe6d4:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffe6e4:     0x00000000      0x00000000      0x00000000      0x00000000

</snip>

For authentication purposes and further proof of concept that someone(s)
dropped the ball and opened up old and new cans of worms I provide silly
denial of service code that should work on mo , opera and netscape:
http://meme-boi.netfirms.com/modos.html

( this won't work on 2.1.4 based browsers )


-Dan Veditz wrote :

>If instead you'd like to give the whitehats time to fix them details would
>be gratefully received by "security" at "mozilla.org"


I thank you for the invitation , but I am a wal-mart janitor and I don't
have much time for finding bugs so I am saving more interesting methods of
bug harnessing for stalking clearchannel communications employees and
making them pay for forcing the world to listen to justin timberlake.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ