Firefox 1.5.0.2 Remote Code execution and DoS

Posted April 23rd, 2006, 6:23 pm

---------------------------------------------------
Software:
Firefox Web Browser
Tested:
Linux, Windows clients' version 1.5.0.2
Result:
Firefox Remote Code Execution and Denial of Service
Problem:
A handling issue exists in how Firefox handles certain Javascript in js320.dll and xpcom_core.dll
regarding iframe.contentWindow.focus(). By manipulating this feature a buffer overflow will occur.
Proof of Concept:
http://www.securident.com/vuln/ff.txt
Credits:
splices(splices [dot] org)
spiffomatic64(spiffomatic64 [dot] com)
Securident Technologies (securident [dot] com)
------------------------------------------------

Posted April 23rd, 2006, 6:35 pm

splices, did you file this bug in bugzilla?

edit:
Oh wait, this is more or less https://bugzilla.mozilla.org/show_bug.cgi?id=334515 , I think.

Posted April 23rd, 2006, 6:41 pm

Close, except the EIP can be overwritten on a box and code executed..I cannot fathom why it wasnt fixed

Posted April 23rd, 2006, 10:35 pm

"Vendor notified"? (from the vuln page). This is a fan site, did you actually send this to anyone at the Mozilla Foundation? (e.g. security@mozilla.org, bugzilla bug filed with the "this is a security bug" checkbox checked, etc)

Posted April 24th, 2006, 11:48 am

Now here is something you don't see everyday. Vuln researchers who use flash and loud background music on their website.

www.securident.com

Posted April 24th, 2006, 12:34 pm

Tested and checked callstack. This looks very like https://bugzilla.mozilla.org/show_bug.cgi?id=334515
This bug was opened on 18-04 so it is approx one week old.

Posted May 4th, 2006, 2:27 am

Oscar the Prophet wrote:Now here is something you don't see everyday. Vuln researchers who use flash and loud background music on their website.

I wonder why it's called securident. I knocked it on the head after clicking to get rid of the intro and waiting enough tie for any reasonable site to open no matter how secure.

Posted July 29th, 2006, 4:56 pm

http://www.mozilla.org/security/announc ... 06-30.html says:

"Older clients, including Firefox 1.0.x and the Mozilla Suite 1.7.x, are not affected."

I just tried out the demonstration on

http://browserfun.blogspot.com/2006/07/ ... nmode.html

and it crashes the Mozilla Suite.

System Information:

Win 2000
Mozilla 1.7.12
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915

So, it seems as if the Security Advisory is not correct. What do I do with that information now?

Posted July 30th, 2006, 4:11 am

You could write to the publisher that you think that older versions are also affected.

Posted July 30th, 2006, 4:20 am

That is my problem: To whom? Who is responsible for that stuff? I can hardly pester the dev people from Bugzilla with that at least for my system, the advice is incorrect now, cant I?

Hm, I take it security@... could be the right adress. Oh well, lets try...

Posted July 30th, 2006, 5:45 am

http://www.metasploit.com/

Copyright © 2003-2006 Metasploit LLC
Metasploit ™ is a registered trademark
Contact us at msfdev[at]metasploit.com

Posted July 30th, 2006, 6:06 am

ah, okay - thanks for that.

Posted July 31st, 2006, 2:41 pm

Has this been resolved yet, I notice the time between the original post and the most recent spans a while?

Posted July 31st, 2006, 2:55 pm

I would also like to know if this is resolved as well

Posted August 3rd, 2006, 4:26 pm

http://www.mozilla.org/security/announc ... 06-30.html has been updated accordingly.

Firefox 1.5.0.2 Remote Code execution and DoS

Who is online