lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Thu, 10 Jul 2014 13:50:52 -0500
From: Brandon Perry <bperry.volatile@...il.com>
To: Nick Boyce <nick.boyce@...il.com>
Cc: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: Re: [FD] FireFox: Lab Mouse Security: Remote Code Execution via
 Browser (LZO)

Are we sure it isn't a plugin like mplayer or something that is popping the
shell, and not FF itself?


On Thu, Jul 10, 2014 at 11:20 AM, Nick Boyce <nick.boyce@...il.com> wrote:

> On 9 July 2014 18:50, Lee <curtlee2002@...il.com> wrote:
>
> > I know nothing about this, but some friends kept posting a link to this
> > video.  I saw nothing about this in the mailing list, so I thought I
> would
> > post it to see if others have more info.
> > https://www.youtube.com/watch?v=BcCDETzk4zc
>
> Well the video is allegedly uploaded by Don Bailey, who is the person
> who did the LZO/LZ4 bug research that was recently responsibly
> reported on the OSS list(s).  And I did notice at the time that one of
> the postings [1] in the ensuing discussion, from Yves-Alexis Perez,
> gave a list of potentially affected open-source software which had
> been identified by a source-code-scanning service.  That list included
> Firefox ... and since then I've been holding my breath waiting for the
> other shoe to drop.
>
> Maybe this is that other shoe.
>
> I know nothing about the Firefox source-code, or where exactly the
> vulnerable use of LZO/LZ4 might be.
>
> But it's odd that there hasn't been a peep out of Mozilla (e.g. no
> emergency release announced for ESR or any other channel), despite the
> vulnerability having been disclosed responsibly on private vendor
> mailing lists, with a patch available, and plenty of time to
> coordinate binary releases.
>
> Hey - maybe the bug is real, but the Youtube clip was uploaded by a
> Bad Guy pretending to be Don, and all those of us (367 at time of
> writing) who viewed the clip are now pwned :-)
>
> Dammit - if only we'd all signed up for keybase.io's weirdo
> GPG-key-identifying service [2] then we could all have known whether
> Youtube Don is really LZO Don ...
>
> Exciting times.
>
> [1] http://seclists.org/oss-sec/2014/q2/676
> [2] http://seclists.org/fulldisclosure/2014/Jun/102
>
> Cheers
> Nick
> --
> Blessed are the peacemakers...for they shall be shot at from both sides.
>  ~~ A.M. Greeley
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> http://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/
>



-- 
http://volatile-minds.blogspot.com -- blog
http://www.volatileminds.net -- website

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists