MozillaZine

Firefox 1.5.0.2 Remote Code execution and DoS

Discussion of bugs in Mozilla Firefox
splices
 
Posts: 4
Joined: April 23rd, 2006, 6:21 pm
Location: efnet

Post Posted April 23rd, 2006, 6:23 pm

---------------------------------------------------
Software:
Firefox Web Browser
Tested:
Linux, Windows clients' version 1.5.0.2
Result:
Firefox Remote Code Execution and Denial of Service
Problem:
A handling issue exists in how Firefox handles certain Javascript in js320.dll and xpcom_core.dll
regarding iframe.contentWindow.focus(). By manipulating this feature a buffer overflow will occur.
Proof of Concept:
http://www.securident.com/vuln/ff.txt
Credits:
splices(splices [dot] org)
spiffomatic64(spiffomatic64 [dot] com)
Securident Technologies (securident [dot] com)
------------------------------------------------

mw22
 
Posts: 2379
Joined: November 19th, 2002, 5:37 pm

Post Posted April 23rd, 2006, 6:35 pm

splices, did you file this bug in bugzilla?

edit:
Oh wait, this is more or less https://bugzilla.mozilla.org/show_bug.cgi?id=334515 , I think.

splices
 
Posts: 4
Joined: April 23rd, 2006, 6:21 pm
Location: efnet

Post Posted April 23rd, 2006, 6:41 pm

Close, except the EIP can be overwritten on a box and code executed..I cannot fathom why it wasnt fixed

danv

User avatar
 
Posts: 6
Joined: January 19th, 2005, 2:38 pm
Location: Santa Cruz, California

Post Posted April 23rd, 2006, 10:35 pm

"Vendor notified"? (from the vuln page). This is a fan site, did you actually send this to anyone at the Mozilla Foundation? (e.g. security@mozilla.org, bugzilla bug filed with the "this is a security bug" checkbox checked, etc)

Oscar the Prophet
 
Posts: 788
Joined: March 12th, 2005, 2:05 pm

Post Posted April 24th, 2006, 11:48 am

Now here is something you don't see everyday. Vuln researchers who use flash and loud background music on their website.

www.securident.com
"Life is a struggle, not against sin, not against the Money Power, not against malicious animal magnetism, but against hydrogen ions."
- HL MENCKEN

trolly
Moderator

User avatar
 
Posts: 39107
Joined: August 22nd, 2005, 7:25 am

Post Posted April 24th, 2006, 12:34 pm

Tested and checked callstack. This looks very like https://bugzilla.mozilla.org/show_bug.cgi?id=334515
This bug was opened on 18-04 so it is approx one week old.

Weatherlawyer
 
Posts: 175
Joined: February 5th, 2004, 8:46 am

Post Posted May 4th, 2006, 2:27 am

Oscar the Prophet wrote:Now here is something you don't see everyday. Vuln researchers who use flash and loud background music on their website.


I wonder why it's called securident. I knocked it on the head after clicking to get rid of the intro and waiting enough tie for any reasonable site to open no matter how secure.

snorik
 
Posts: 4
Joined: July 29th, 2006, 4:51 pm

Post Posted July 29th, 2006, 4:56 pm

http://www.mozilla.org/security/announc ... 06-30.html says:

"Older clients, including Firefox 1.0.x and the Mozilla Suite 1.7.x, are not affected."

I just tried out the demonstration on

http://browserfun.blogspot.com/2006/07/ ... nmode.html

and it crashes the Mozilla Suite.

System Information:

Win 2000
Mozilla 1.7.12
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915

So, it seems as if the Security Advisory is not correct. What do I do with that information now?
May the fox set the world on fire.

trolly
Moderator

User avatar
 
Posts: 39107
Joined: August 22nd, 2005, 7:25 am

Post Posted July 30th, 2006, 4:11 am

You could write to the publisher that you think that older versions are also affected.
Think for yourself. Otherwise you have to believe what other people tell you.
A society based on individualism is an oxymoron. || Freedom is at first the freedom to starve.
Constitution says: One man, one vote. Supreme court says: One dollar, one vote.

snorik
 
Posts: 4
Joined: July 29th, 2006, 4:51 pm

Post Posted July 30th, 2006, 4:20 am

That is my problem: To whom? Who is responsible for that stuff? I can hardly pester the dev people from Bugzilla with that at least for my system, the advice is incorrect now, cant I?

Hm, I take it security@... could be the right adress. Oh well, lets try...
May the fox set the world on fire.

trolly
Moderator

User avatar
 
Posts: 39107
Joined: August 22nd, 2005, 7:25 am

Post Posted July 30th, 2006, 5:45 am

http://www.metasploit.com/
Copyright © 2003-2006 Metasploit LLC
Metasploit ™ is a registered trademark
Contact us at msfdev[at]metasploit.com
Think for yourself. Otherwise you have to believe what other people tell you.
A society based on individualism is an oxymoron. || Freedom is at first the freedom to starve.
Constitution says: One man, one vote. Supreme court says: One dollar, one vote.

snorik
 
Posts: 4
Joined: July 29th, 2006, 4:51 pm

Post Posted July 30th, 2006, 6:06 am

ah, okay - thanks for that.
May the fox set the world on fire.

DRTProxy
 
Posts: 6
Joined: July 31st, 2006, 2:33 pm

Post Posted July 31st, 2006, 2:41 pm

Has this been resolved yet, I notice the time between the original post and the most recent spans a while?

fr3d
 
Posts: 1
Joined: July 31st, 2006, 2:53 pm

Post Posted July 31st, 2006, 2:55 pm

I would also like to know if this is resolved as well

snorik
 
Posts: 4
Joined: July 29th, 2006, 4:51 pm

Post Posted August 3rd, 2006, 4:26 pm

May the fox set the world on fire.

Return to Firefox Bugs


Who is online

Users browsing this forum: No registered users and 3 guests