[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040713050921.27251.qmail@web10707.mail.yahoo.com>
From: jhaunsystem at yahoo.com (jhaunsystem)
Subject: Firefox 0.92 DoS via TinyBMP
I tested it out on 2 platforms. On Mozilla 1.7 &&
win2k I get the same results as your description.
However on Freebsd_4.10 && Mozilla 1.7, Mozilla just
crashes with little or no tax on the system.
> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On
> Behalf Of st3ng4h
> Sent: Tuesday, July 13, 2004 2:23 AM
> To: Ali Campbell
> Cc: full-disclosure@...ts.netsys.com;
> the_invincible@....de
> Subject: Re: [Full-Disclosure] Firefox 0.92 DoS via
> TinyBMP
>
> On Mon, Jul 12, 2004 at 10:12:40PM +0100, Ali
> Campbell wrote:
> > I agree when you say that it's probably a flaw in
> the BMP lib
> > implementation. But as I've pointed out once
> already, Windows isn't
> > the only afflicted platform:
> [snip]
>
> You're correct, and I'm glad you did point this out,
> because it may
> potentially affect many such implementations.
>
> The April bugtraq advisory that I provided URL for
> earlier (and again [1])
> says:
>
> "When a BMP file loaded into the Internet Explorer
> (for exmaple 'IMG' tag)
> the internet explorer check the BMP image size
> written in BMP file, and then
> allocate the necessary memory to itself for placing
> bmp image into the
> memory."
>
> Also see MSDN's explanation of bitmap file structure
> [2] for more details.
>
> AFAICT, any program/library that allocates bfSize
> (in
> BITMAPFILEHEADER) bytes of memory, without verifying
> that this resembles the
> actual size of the bitmap file, will likely suffer
> from this problem in some
> form or another.
>
> Why this was not figured out in the original
> advisory or this one is beyond
> me; I have approximately zero experience as a
> bug-hunter and am mostly
> ignorant to Windows internals.
>
> What's more annoying is that the OP apparently just
> ripped off the PoC from
> the original (incorrect) IE advisory, did not credit
> the finder, and
> published it as a Firefox vulnerability.
>
> st3ng4h
>
> [1] http://www.securityfocus.com/archive/1/360166
>
> [2]
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gdi/bitmaps
> _62uq.asp
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.netsys.com/full-disclosure-charter.html
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.netsys.com/full-disclosure-charter.html
>
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail
Powered by blists - more mailing lists