Closed Bug 355569 Opened 18 years ago Closed 18 years ago

XML.prototype.hasOwnProperty is exploitable (CVE-2006-5747)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: sync2d, Unassigned)

References

Details

(Keywords: crash, verified1.8.0.8, verified1.8.1, Whiteboard: [sg:critical] fixed by 355478)

Attachments

(2 files)

testcase
4.36 KB, text/html
Details
e4x/Regress/regress-355569.js
5.93 KB, text/plain
Details 
I had a proof of concept exploit for this vulnerability a month ago,
but it was lost due to HDD crash. bug 355478 have reminded me of it.

TB22649748Q
Attached file testcase 
Salvaged proof of concept exploit. works on:

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.8pre)
  Gecko/20061005 Firefox/1.5.0.8pre
TB24181017Q

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1)
  Gecko/20061005 BonEcho/2.0
TB24181079Q

FIREFOX caused an exception 03H in
module unknown at 0000:12030108
Registers:
EAX=deadfeed CS=015f EIP=12030108 EFLGS=00000206
EBX=deadfeed SS=0167 ESP=00d8ec00 EBP=00d8ec20
ECX=deadfeed DS=0167 ESI=1203008c FS=1987
EDX=deadfeed ES=0167 EDI=12030084 GS=0000
Bytes at CS:EIP:
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
Stack dump:
6013c26d 02adfc00 12030084 00000003 12030084 00000000 02adfc00 1203008c
00d8ec5c 60113000 02adfc00 12030084 00000003 00d8eca8 12030010 00d8ecc0
Flags: blocking1.9?
Flags: blocking1.8.1.1?
Flags: blocking1.8.0.9?
Marking this bug blocking; patch is in bug 355478.

/be
Flags: blocking1.8.1?
Whiteboard: [sg:critical]
Blocking for Fx2 RC3
Flags: blocking1.8.1? → blocking1.8.1+
Cover bug is fixed on the 1.8 branch.

/be
Status: NEW → RESOLVED
Closed: 18 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
couldn't reproduce the crash, so verification will not have much meaning. shutdown, can you please test in trunk and 1.8 and marked verified? thanks.
Flags: in-testsuite+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.8?
Flags: blocking1.8.0.8+
no crash with 20061009 1.8 windows/linux/mac* 1.9 windows/linux on e4x/Regress/regress-355569.js, but since I couldn't initially reproduce am not verifying.
Whiteboard: [sg:critical] → [sg:critical] fixed by 355478
bug 355478 has been checked into the 1.8.0 branch
Keywords: fixed1.8.0.8
20061016 trunk/1.8/1.8.0: verifying with shorter testcase.
javascript: <x/>.function::hasOwnProperty.call(new Number(0x50505050>>1));
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.8, fixed1.8.1verified1.8.0.8, verified1.8.1
Not applicable to the aviary/moz1.7 branch
Flags: blocking1.7.14-
Flags: blocking-aviary1.0.9-
This has been assigned CVE-2006-5747
Summary: XML.prototype.hasOwnProperty is exploitable → XML.prototype.hasOwnProperty is exploitable (CVE-2006-5747)
Flags: blocking1.8.1.1?
Group: core-security
/cvsroot/mozilla/js/tests/e4x/Regress/regress-355569.js,v  <--  regress-355569.js
initial revision: 1.1
Flags: in-litmus-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: