Closed Bug 299209 (CVE-2005-2114) Opened 19 years ago Closed 19 years ago

anonymous function expression statement => JS stack overflow [crash in js3250.dll + (0002c7d4)]

Categories

(Core :: JavaScript Engine, defect, P2)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8beta3

People

(Reporter: chofmann, Assigned: brendan)

References

(
URL
)

Details

(Keywords: fixed-aviary1.0.5, fixed1.7.9, js1.5, Whiteboard: [sg:fix] scrub last attachment before disclosing, see comment 20)

Attachments

(1 file)

fix
1.85 KB, patch
shaver
: review+
jay
: approval-aviary1.0.5+
jay
: approval1.7.9+
brendan
: approval1.8b3+
Details | Diff | Splinter Review
full disclosure deinal of service crash reported to security evilninja wrote: > > Kurczaba Associates Advisories schrieb: > > >> >>Date Discovered: June 14, 2005 here is all that I was able to get out of talback... Incident ID: 7098019 Stack Signature js3250.dll + 0x2c7d4 (0x6010c7d4) e08bd997 Email Address chofmann@mozilla.org Product ID FirefoxTrunk Build ID 2005062806 Trigger Time 2005-06-29 20:08:16.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module js3250.dll + (0002c7d4) Since Last Crash 29061 sec Total Uptime 29061 sec Trigger Reason Access violation Source File, Line No. N/A Stack Trace js3250.dll + 0x2c7d4 (0x6010c7d4)
mail from Paul Kurczaba paul at kurczaba.com Mozilla Team, We have found a security vulnerability that affects the following Mozilla applications: -Mozilla 1.7.8 -Firefox 1.0.4 -Camino 0.8.4 Details: By using a specially crafted JavaScript function, it is possible to crash the above named browsers. The script can be executed both with and without user intervention. The JavaScript Code: The following Javascript code is what causes the browsers to crash: for (a = 0; a <= 10000; a++) { function(){("");} } Proof of Concept: A proof-of-concept example of this vulnerability can be found at: http://www.kurczaba.com/html/security/unpublished/crash_mozilla.htm Credit: Paul and Arnie Kurczaba
This is a very old bug -- it dates to ECMA-262 Edition 3 work in 1999. It's not exploitable. I'll fix tomorrow. /be
Assignee: general → brendan
Flags: blocking-aviary1.1+
Keywords: js1.5
Priority: -- → P2
Target Milestone: --- → mozilla1.8beta3
Summary: crash in js3250.dll + (0002c7d4) → anonymous function expression statement => JS stack overflow [crash in js3250.dll + (0002c7d4)]
Checking in regress-299209.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-299209.js,v <-- regress-299209.js initial revision: 1.1
Flags: testcase+
Timeless was looking into this today as well, and some guy came on IRC claiming it was exploitable but offered no demonstration.
(In reply to comment #4) > Timeless was looking into this today as well, and some guy came on IRC claiming > it was exploitable but offered no demonstration. That's nice. It's a JS interpreter stack overflow. There's no way to forge object references from script, so I doubt this IRC claim. Reading garbage from beyond the current stack chunk might lead to crashes, but not to controlled execution. /be
Writing beyond the current stack chunk might corrupt the malloc heap. That's not inherently exploitable AFAIK. If someone (jackerror on IRC is working on it) does come up with an exploit, please mail me and dveditz@cruzio.com, or even the security-group@mozilla.org mailing list, so we can mark this bug "security sensitive" to restrict access to it, *then* the exploit can be attached to this bug, and we can award a bounty to the person demonstrating the exploit. /be
Attached patch fixSplinter Review
Simple and direct. /be
Attachment #187857 - Flags: review?
Attachment #187857 - Flags: approval1.8b3+
Comment on attachment 187857 [details] [diff] [review] fix r=shaver.
Attachment #187857 - Flags: review? → review+
Fixed on trunk. Fix is needed on the branches too. /be
Status: NEW → RESOLVED
Closed: 19 years ago
Flags: blocking1.7.9?
Flags: blocking-aviary1.0.5?
Resolution: --- → FIXED
Flags: blocking1.7.9?
Flags: blocking1.7.9+
Flags: blocking-aviary1.0.5?
Flags: blocking-aviary1.0.5+
Comment on attachment 187857 [details] [diff] [review] fix Brendan, let's get this checked in on the branches as well. a=jay
Attachment #187857 - Flags: approval1.7.9+
Attachment #187857 - Flags: approval-aviary1.0.5+
Checked appropriately back-ported patch into branches. /be
Keywords: fixed-aviary1.0.5, fixed1.7.9
syntax error on trunk and 1.0.5 and no crash. Error: syntax error Source File: http://www.kurczaba.com/html/security/unpublished/crash_mozilla.htm Line: 48, Column: 11 Source Code: function(){};
Status: RESOLVED → VERIFIED
updated test to reflect expected syntax error Checking in regress-299209.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-299209.js,v <-- regress-299209.js new revision: 1.2; previous revision: 1.1 done
Bob, your new test doesn't crash without the patch. You have to eval() the complete for loop.
(In reply to comment #14) Erik, thanks. I tested it and saw a crash in 1.0.4 but must have executed the old version from the cache. fscking firefox cache. Checking in regress-299209.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-299209.js,v <-- regress-299209.js new revision: 1.3; previous revision: 1.2 done
really fixed this time. new revision: 1.4; previous revision: 1.3
this causes the following failures in the js test suite: ecma_3/Statements/regress-194364.js: sections 1, 3, 5, 7, 9 js1_5/Regress/regress-224956.js: section 29 was that intentional and the tests need to be changed?
(In reply to comment #17) > this causes the following failures in the js test suite: > > ecma_3/Statements/regress-194364.js: sections 1, 3, 5, 7, 9 > js1_5/Regress/regress-224956.js: section 29 > > was that intentional and the tests need to be changed? From ECMA-262 Edition 3, 12.4: 12.4 Expression Statement Syntax ExpressionStatement : [lookahead not in {{, function}] Expression ; Note that an ExpressionStatement cannot start with an opening curly brace because that might make it ambiguous with a Block. Also, an ExpressionStatement cannot start with the function keyword because that might make it ambiguous with a FunctionDeclaration. /be
Marking security sensitive because we have been sent a testcase that proves this is exploitable.
Group: security
Sauron (jackerror on IRC) contacted me last week about this bug, and worked hard to develop an exploit. I recommend he get a bug bounty for his work, and I would like to encourage him to file other security-sensitive bugs with bugzilla.mozilla.org as soon as possible, so he can claim priority and win more bounties. He asked that I include his wishes here: ----- begin quote ----- Brendan, Yes you can attach the exploitation.txt to the bug, Yes I have a bugzilla login (sauron@nerim.net). As I told to Daniel Veditz, I don't want the exploit to be made public at anytime, even when a fixed version of mozilla will be available. The bug take time to exploit because it is located in some part of the code one as to take the time to understand before being able to do anything. Probably nobody will code such an exploit and make it public, and I don't want mine to be made public, I hate to provide destructive tools to clueless people who will use it to annoy OpenSource users whose main purpose is not security. Anyway, please can you just put a note about this when attaching the file to the bug in the bugzilla ? Thanks -----end quote----- I'm not sure how to arrange to *never* disclose his exploit without never removing the security-sensitive flag from this bug, or else stripping this attachment via bugzilla database hacks behind the scenes, before removing the access restriction on this bug. I'll leave it to dveditz to negotiate a mutually satisfactory solution with sauron. /be
*** Bug 299816 has been marked as a duplicate of this bug. ***
Blocks: 299816
Adding distributors
Whiteboard: [sg:fix]
*** Bug 300955 has been marked as a duplicate of this bug. ***
Whiteboard: [sg:fix] → [sg:fix] [scrub last attachment before disclosing]
Dan, Is there a reason there is no Mozilla Foundation Security advisory for this issue?
Josh: see the status whiteboard. /be
Do we need to open this bug to issue an advisory? We often embargo bug details, and say so in the advisory text.
Brendan, I understand we have to scrub the attachment, but it's not uncommon to release an MFSA without opening up the bug until a later date.
Additionally, this issue is CAN-2005-2114. MITRE has it classified as simply a DoS right now. When this issue goes public I'll make sure they update their description.
Josh: oh, sorry -- then dveditz should comment, since he updates the known vulnerabilities page. /be
Checking in ecma_3/Statements/regress-194364.js; /cvsroot/mozilla/js/tests/ecma_3/Statements/regress-194364.js,v <-- regress-194364.js new revision: 1.4; previous revision: 1.3 done Checking in js1_5/Regress/regress-224956.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-224956.js,v <-- regress-224956.js new revision: 1.7; previous revision: 1.6 done
Are there any plans to open this bug up to the public?
No. there should be no such plans. not without removing at least the attachment. comment 20 is perfectly clear on that point.
Group: security
Whiteboard: [sg:fix] [scrub last attachment before disclosing] → [sg:fix] scrub last attachment before disclosing, see comment 20
This appears to be CVE-2005-2114
Alias: CVE-2005-2114
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: