Firefox 1.5.0.2 Remote Code execution and DoS

Discussion of bugs in Mozilla Firefox
splices
Posts: 4
Joined: April 23rd, 2006, 6:21 pm
Location: efnet
Contact:

Firefox 1.5.0.2 Remote Code execution and DoS

Post by splices »

---------------------------------------------------
Software:
Firefox Web Browser
Tested:
Linux, Windows clients' version 1.5.0.2
Result:
Firefox Remote Code Execution and Denial of Service
Problem:
A handling issue exists in how Firefox handles certain Javascript in js320.dll and xpcom_core.dll
regarding iframe.contentWindow.focus(). By manipulating this feature a buffer overflow will occur.
Proof of Concept:
http://www.securident.com/vuln/ff.txt
Credits:
splices(splices [dot] org)
spiffomatic64(spiffomatic64 [dot] com)
Securident Technologies (securident [dot] com)
------------------------------------------------
mw22
Posts: 2379
Joined: November 19th, 2002, 5:37 pm

Post by mw22 »

splices, did you file this bug in bugzilla?

edit:
Oh wait, this is more or less https://bugzilla.mozilla.org/show_bug.cgi?id=334515 , I think.
splices
Posts: 4
Joined: April 23rd, 2006, 6:21 pm
Location: efnet
Contact:

Post by splices »

Close, except the EIP can be overwritten on a box and code executed..I cannot fathom why it wasnt fixed
User avatar
danv
Posts: 6
Joined: January 19th, 2005, 2:38 pm
Location: Santa Cruz, California

Vendor notified where?

Post by danv »

"Vendor notified"? (from the vuln page). This is a fan site, did you actually send this to anyone at the Mozilla Foundation? (e.g. security@mozilla.org, bugzilla bug filed with the "this is a security bug" checkbox checked, etc)
Oscar the Prophet
Posts: 788
Joined: March 12th, 2005, 2:05 pm

Post by Oscar the Prophet »

Now here is something you don't see everyday. Vuln researchers who use flash and loud background music on their website.

www.securident.com
"Life is a struggle, not against sin, not against the Money Power, not against malicious animal magnetism, but against hydrogen ions."
- HL MENCKEN
User avatar
trolly
Moderator
Posts: 39851
Joined: August 22nd, 2005, 7:25 am

Post by trolly »

Tested and checked callstack. This looks very like https://bugzilla.mozilla.org/show_bug.cgi?id=334515
This bug was opened on 18-04 so it is approx one week old.
Weatherlawyer
Posts: 175
Joined: February 5th, 2004, 8:46 am

Post by Weatherlawyer »

Oscar the Prophet wrote:Now here is something you don't see everyday. Vuln researchers who use flash and loud background music on their website.


I wonder why it's called securident. I knocked it on the head after clicking to get rid of the intro and waiting enough tie for any reasonable site to open no matter how secure.
snorik
Posts: 4
Joined: July 29th, 2006, 4:51 pm

Question about the Security Advisory for this

Post by snorik »

http://www.mozilla.org/security/announc ... 06-30.html says:

"Older clients, including Firefox 1.0.x and the Mozilla Suite 1.7.x, are not affected."

I just tried out the demonstration on

http://browserfun.blogspot.com/2006/07/ ... nmode.html

and it crashes the Mozilla Suite.

System Information:

Win 2000
Mozilla 1.7.12
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915

So, it seems as if the Security Advisory is not correct. What do I do with that information now?
May the fox set the world on fire.
User avatar
trolly
Moderator
Posts: 39851
Joined: August 22nd, 2005, 7:25 am

Post by trolly »

You could write to the publisher that you think that older versions are also affected.
Think for yourself. Otherwise you have to believe what other people tell you.
A society based on individualism is an oxymoron. || Freedom is at first the freedom to starve.
Constitution says: One man, one vote. Supreme court says: One dollar, one vote.
snorik
Posts: 4
Joined: July 29th, 2006, 4:51 pm

Post by snorik »

That is my problem: To whom? Who is responsible for that stuff? I can hardly pester the dev people from Bugzilla with that at least for my system, the advice is incorrect now, cant I?

Hm, I take it security@... could be the right adress. Oh well, lets try...
May the fox set the world on fire.
User avatar
trolly
Moderator
Posts: 39851
Joined: August 22nd, 2005, 7:25 am

Post by trolly »

http://www.metasploit.com/
Copyright © 2003-2006 Metasploit LLC
Metasploit ™ is a registered trademark
Contact us at msfdev[at]metasploit.com
Think for yourself. Otherwise you have to believe what other people tell you.
A society based on individualism is an oxymoron. || Freedom is at first the freedom to starve.
Constitution says: One man, one vote. Supreme court says: One dollar, one vote.
snorik
Posts: 4
Joined: July 29th, 2006, 4:51 pm

Post by snorik »

ah, okay - thanks for that.
May the fox set the world on fire.
DRTProxy
Posts: 6
Joined: July 31st, 2006, 2:33 pm

Post by DRTProxy »

Has this been resolved yet, I notice the time between the original post and the most recent spans a while?
fr3d
Posts: 1
Joined: July 31st, 2006, 2:53 pm

Post by fr3d »

I would also like to know if this is resolved as well
snorik
Posts: 4
Joined: July 29th, 2006, 4:51 pm

Post by snorik »

May the fox set the world on fire.
Post Reply