[<prev] [next>] [day] [month] [year] [list]
Message-ID: <37627.66.58.158.195.1055133633.squirrel@www.nothotmail.org>
Date: Sun, 8 Jun 2003 21:40:33 -0700 (PDT)
From: "meme-boi" <meme-boi@...hotmail.org>
To: <full-disclosure@...ts.netsys.com>, <bugtraq@...urityfocus.com>
Subject: Re: Cross-Platform Browser vulnerabilities - Critical
-Dan Veditz Mozilla security group member wrote :
>The exploit example you give is not remote command execution but rather a
>violation of the same origin policy.
First off, the example bug I demonstrated:
http://meme-boi.netfirms.com/werd.html
while true it doesn't show remote class loading , is not fixed in 1.4.
I haven't tested 1.3 but I assure you there are serious issues , and the
bug is different , but I'll let you figure that out.
-Dan Veditz wrote :
>Unless there are additional details you are withholding this same flaw
>was >reported on Bugtraq April 15
Here is some select gdb output from an attached session while
viewing, and executing specially crafted *priva8* ( meaning no soup for you)
meme156 code from remote server:
<snip>
[New Thread 1106058544 (LWP 15390)]
[New Thread 1122508080 (LWP 15391)]
[New Thread 1131003184 (LWP 15392)]
[New Thread 1139535152 (LWP 15393)]
[New Thread 1147927856 (LWP 15394)]
[New Thread 1156320560 (LWP 15395)]
[Thread 1156320560 (LWP 15395) exited]
[Thread 1139535152 (LWP 15393) exited]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1077855392 (LWP 15388)]
0x4003b9dd in JS_CompileUCFunctionForPrincipals () from /usr/lib/libmozjs.so
(gdb) backtrace
#0 0x4003b9dd in JS_CompileUCFunctionForPrincipals ()
from /usr/lib/libmozjs.so
#1 0x424bf3d6 in NSGetModule () from
/usr/local/mozilla/components/libjsdom.so#2 0x40d2b203 in NSGetModule ()
from /usr/local/mozilla/components/libgklayout.so
#3 0x40b52252 in NSGetModule ()
from /usr/local/mozilla/components/libgklayout.so
#4 0x40b52525 in NSGetModule ()
//noop begins here on Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4)
0xbfffe644: 0x00001000 0x00000011 0x00000064 0x00000003
0xbfffe654: 0x08048034 0x00000004 0x00000020 0x00000005
0xbfffe664: 0x00000006 0x00000007 0x40000000 0x00000008
---Type <return> to continue, or q <return> to quit---
0xbfffe674: 0x00000000 0x00000009 0x08056e20 0x0000000b
0xbfffe684: 0x000001f4 0x0000000c 0x000001f4 0x0000000d
0xbfffe694: 0x00000000 0x0000000e 0x00000000 0x0000000f
0xbfffe6a4: 0xbffffbb4 0x00000000 0x00000000 0x00000000
0xbfffe6b4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffe6c4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffe6d4: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfffe6e4: 0x00000000 0x00000000 0x00000000 0x00000000
</snip>
For authentication purposes and further proof of concept that someone(s)
dropped the ball and opened up old and new cans of worms I provide silly
denial of service code that should work on mo , opera and netscape:
http://meme-boi.netfirms.com/modos.html
( this won't work on 2.1.4 based browsers )
-Dan Veditz wrote :
>If instead you'd like to give the whitehats time to fix them details would
>be gratefully received by "security" at "mozilla.org"
I thank you for the invitation , but I am a wal-mart janitor and I don't
have much time for finding bugs so I am saving more interesting methods of
bug harnessing for stalking clearchannel communications employees and
making them pay for forcing the world to listen to justin timberlake.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists