lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <8beca820508040810197b89e4@mail.gmail.com>
Date: Thu Aug  4 16:10:37 2005
From: avivra at gmail.com (Aviv Raff)
Subject: Mozilla Firefox InstallVersion->compareTo()
	vulnerability lowered severity status

Hi,

After more than 2 weeks of no response from the Mozilla Foundation (
https://bugzilla.mozilla.org/show_bug.cgi?id=295854), I've decided to 
disclose the following information:
Version 1.0.5 of Firefox has fixed a vulnerability in the 
InstallVersion->compareTo() function that could potentially allow remote 
code execution.
The Mozilla team have decided to set the severity status of the 
vulnerability to 'Moderate', instead of a higher severity status, claiming 
an exploitation of this vulnerability requires a predictable address, which 
means it's almost impossible to exploit.
This is partly true. A script can be easily built to significantly increase 
the possibility of a successful exploitation.
An attacker can use Skylined's Heap spraying method (used in "Internet 
Exploiter" - 
http://www.edup.tudelft.nl/~bjwever/advisory_msie_R6025.html.php), to fill 
the heap with fake data and vtbl structures that will point to the exploit 
code.
This can be done by spraying 3 heap blocks - "data" block, "vtbl" block and 
"exploit" block - instead of one, as was presented by Skylined. The "data" 
block will point to a "vtbl" location which will be exactly the eax address 
+ the heap block size. The data in the "vtbl" block will point to the 
"exploit" block which will be exactly the pointed "vtbl" address + the heap 
block size. The "exploit" block, of-course, will have the exploit code, 
padded with nops.
This will boost the possibility that the eax address, specified by the 
attacker, will fall into the faked "data" block. Other methods can be 
applied to increase the risk even more.
Therefore, my suggestion to the Mozilla Foundation is to raise the severity 
status of the vulnerability to 'High' or 'Critical'.

Best regards,
Aviv Raff.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050804/265b048f/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ