Closed Bug 1161877 Opened 11 years ago Closed 11 years ago

Firefox crashes with buffer overflow

Categories

(Firefox for Android Graveyard :: Web Apps (PWAs), defect, P3)

Product:
Firefox for Android Graveyard
Component:
Web Apps (PWAs)
Version:
37 Branch
Platform:
All
Android
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1042883

People

(Reporter: santiagoalopez.sl, Unassigned)

References

Details

(Whiteboard: dos)

Attachments

(2 files)

buffer.php
116 bytes, text/x-php
Details
strong_buffer.php
1.50 KB, application/x-php
Details
Attached file buffer.php
User Agent: Mozilla/5.0 (X11; Linux i686; rv:37.0) Gecko/20100101 Firefox/37.0 Build ID: 20150415140819 Steps to reproduce: I put my exploit(buffer.php) in an apache server, then i open two windows in the browser going to the apache location with the exploit, ex: http://127.0.0.1/buffer.php. I execute the two requests at the same time. This makes the buffer overflow much strong and vulnerable to the attack. Actual results: Firefox crashes, It sends me an error in the terminal. This is the message: out of memory: 0x0000000002C96DCC bytes requested ExceptionHandler::GenerateDump waitpid failed:No child processes Expected results: When i test with just one request in the browser it not works, so, this should happen, Firefox need to stop the requests and block the attack.
Severity: normal → critical
OS: Unspecified → Linux
Priority: -- → P3
Hardware: Unspecified → All
Severity: critical → major
Attachment #8601857 - Attachment mime type: application/x-php → text/x-php
Do you have a crash stack? I expect that this is an intentional abort when we run out of memory, and if that's the case this isn't a security issue that needs to remain hidden. https://developer.mozilla.org/en-US/docs/How_to_get_a_stacktrace_for_a_bug_report
Flags: needinfo?(santiagoalopez.sl)
Hi, Please test the same steps in the Android application of Firefox and you will that Firefox crash, and it sends me to "Send report" message.
Flags: needinfo?(santiagoalopez.sl)
OS: Linux → Android
Yes, can you please past the crash report ID from either Linux or Android into this bug report? Preferably both, if you can reproduce it in both products.
Flags: needinfo?(santiagoalopez.sl)
OK, i was wrong in Linux, how you say to me, it was intentional abort of the browser. But in the Android application you can see, if you test it, that it's a security issue because it sends to me a report message. In resume: In Linux doesn't work but in Android works.
Flags: needinfo?(santiagoalopez.sl)
Group: core-security
Component: Untriaged → Web Apps
Product: Firefox → Firefox for Android
Version: 37 Branch → Firefox 37
I actualized the report to a Firefox Android application vulnerabilitie.
Summary: Firefox crashes with buffer overflow in two windows → Firefox crashes with buffer overflow
Sorry, i didn't know what is the report ID, but i have searched it. Report ID : https://crash-stats.mozilla.com/report/index/bp-7625a236-b005-43f4-963d-d07852150506 It has my email.
Attached file strong_buffer.php
Hey, i have a new Buffer overflow vulnerabilitie in Firefox web browser, it works on Windows 8. But i make it with a diferent exploit than the Android vulnerabilitie, i will insert it the attachments like strong_buffer.php. You have to save it into an Web server like the another vulnerabilitie, but the diference is that you need to open two windows in the browser and execute the exploit in the windows at the same time. Then you will see the "Send report" message. So, i report in total two vulnerabilities: 1- Android application vulnerabilitie 2- Windows 8 web browser vulnerabilitie Report ID : https://crash-stats.mozilla.com/report/index/2b5517cc-ad73-4d11-8858-22e5f2150507 Please tell me if this vulnerabilities are able to a bounty.
This is a dupe of one of the many build a infinitely large string bugs. The php is equal to this JS. number = 1; for(number;number<10;number = number = number++) {"... Buffer Overflow ..."} Number never grows.
I don't understand what you are trying to explain to me. do you test the web browser(Windows 8) vulnerabilitie?
Flags: needinfo?(kbrosnan)
Can any please response me?
You created a program that never finishes. Loop => Test for loop that will never exit => do some work It does not really matter what 'do some work' is the code will create a denial of service attack the user who encounters the code. This is not really a new thing and is difficult to impossible to guard against. This program has not demonstrated any capabilities of sec-critical or sec-high at https://wiki.mozilla.org/Security_Severity_Ratings I suspect there are older bugs somewhere in bugzilla but the signature of the crash in comment 9 is an already reported bug.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Flags: needinfo?(kbrosnan)
Resolution: --- → DUPLICATE
Whiteboard: dos
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: