Closed
Bug 299209
(CVE-2005-2114)
Opened 19 years ago
Closed 19 years ago
anonymous function expression statement => JS stack overflow [crash in js3250.dll + (0002c7d4)]
Categories
(Core :: JavaScript Engine, defect, P2)
Tracking
()
VERIFIED
FIXED
mozilla1.8beta3
People
(Reporter: chofmann, Assigned: brendan)
References
()
Details
(Keywords: fixed-aviary1.0.5, fixed1.7.9, js1.5, Whiteboard: [sg:fix] scrub last attachment before disclosing, see comment 20)
Attachments
(1 file)
1.85 KB,
patch
|
shaver
:
review+
jay
:
approval-aviary1.0.5+
jay
:
approval1.7.9+
brendan
:
approval1.8b3+
|
Details | Diff | Splinter Review |
full disclosure deinal of service crash reported to security evilninja wrote: > > Kurczaba Associates Advisories schrieb: > > >> >>Date Discovered: June 14, 2005 here is all that I was able to get out of talback... Incident ID: 7098019 Stack Signature js3250.dll + 0x2c7d4 (0x6010c7d4) e08bd997 Email Address chofmann@mozilla.org Product ID FirefoxTrunk Build ID 2005062806 Trigger Time 2005-06-29 20:08:16.0 Platform Win32 Operating System Windows NT 5.1 build 2600 Module js3250.dll + (0002c7d4) Since Last Crash 29061 sec Total Uptime 29061 sec Trigger Reason Access violation Source File, Line No. N/A Stack Trace js3250.dll + 0x2c7d4 (0x6010c7d4)
Reporter | ||
Comment 1•19 years ago
|
||
mail from Paul Kurczaba paul at kurczaba.com Mozilla Team, We have found a security vulnerability that affects the following Mozilla applications: -Mozilla 1.7.8 -Firefox 1.0.4 -Camino 0.8.4 Details: By using a specially crafted JavaScript function, it is possible to crash the above named browsers. The script can be executed both with and without user intervention. The JavaScript Code: The following Javascript code is what causes the browsers to crash: for (a = 0; a <= 10000; a++) { function(){("");} } Proof of Concept: A proof-of-concept example of this vulnerability can be found at: http://www.kurczaba.com/html/security/unpublished/crash_mozilla.htm Credit: Paul and Arnie Kurczaba
Assignee | ||
Comment 2•19 years ago
|
||
This is a very old bug -- it dates to ECMA-262 Edition 3 work in 1999. It's not exploitable. I'll fix tomorrow. /be
Assignee: general → brendan
Flags: blocking-aviary1.1+
Keywords: js1.5
Priority: -- → P2
Target Milestone: --- → mozilla1.8beta3
Assignee | ||
Updated•19 years ago
|
Summary: crash in js3250.dll + (0002c7d4) → anonymous function expression statement => JS stack overflow [crash in js3250.dll + (0002c7d4)]
Comment 3•19 years ago
|
||
Checking in regress-299209.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-299209.js,v <-- regress-299209.js initial revision: 1.1
Flags: testcase+
Comment 4•19 years ago
|
||
Timeless was looking into this today as well, and some guy came on IRC claiming it was exploitable but offered no demonstration.
Assignee | ||
Comment 5•19 years ago
|
||
(In reply to comment #4) > Timeless was looking into this today as well, and some guy came on IRC claiming > it was exploitable but offered no demonstration. That's nice. It's a JS interpreter stack overflow. There's no way to forge object references from script, so I doubt this IRC claim. Reading garbage from beyond the current stack chunk might lead to crashes, but not to controlled execution. /be
Assignee | ||
Comment 6•19 years ago
|
||
Writing beyond the current stack chunk might corrupt the malloc heap. That's not inherently exploitable AFAIK. If someone (jackerror on IRC is working on it) does come up with an exploit, please mail me and dveditz@cruzio.com, or even the security-group@mozilla.org mailing list, so we can mark this bug "security sensitive" to restrict access to it, *then* the exploit can be attached to this bug, and we can award a bounty to the person demonstrating the exploit. /be
Assignee | ||
Comment 7•19 years ago
|
||
Simple and direct. /be
Attachment #187857 -
Flags: review?
Attachment #187857 -
Flags: approval1.8b3+
Comment on attachment 187857 [details] [diff] [review] fix r=shaver.
Attachment #187857 -
Flags: review? → review+
Assignee | ||
Comment 9•19 years ago
|
||
Fixed on trunk. Fix is needed on the branches too. /be
Status: NEW → RESOLVED
Closed: 19 years ago
Flags: blocking1.7.9?
Flags: blocking-aviary1.0.5?
Resolution: --- → FIXED
Assignee | ||
Updated•19 years ago
|
Flags: blocking1.7.9?
Flags: blocking1.7.9+
Flags: blocking-aviary1.0.5?
Flags: blocking-aviary1.0.5+
Comment 10•19 years ago
|
||
Comment on attachment 187857 [details] [diff] [review] fix Brendan, let's get this checked in on the branches as well. a=jay
Attachment #187857 -
Flags: approval1.7.9+
Attachment #187857 -
Flags: approval-aviary1.0.5+
Assignee | ||
Comment 11•19 years ago
|
||
Checked appropriately back-ported patch into branches. /be
Keywords: fixed-aviary1.0.5,
fixed1.7.9
Comment 12•19 years ago
|
||
syntax error on trunk and 1.0.5 and no crash. Error: syntax error Source File: http://www.kurczaba.com/html/security/unpublished/crash_mozilla.htm Line: 48, Column: 11 Source Code: function(){};
Status: RESOLVED → VERIFIED
Comment 13•19 years ago
|
||
updated test to reflect expected syntax error Checking in regress-299209.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-299209.js,v <-- regress-299209.js new revision: 1.2; previous revision: 1.1 done
Comment 14•19 years ago
|
||
Bob, your new test doesn't crash without the patch. You have to eval() the complete for loop.
Comment 15•19 years ago
|
||
(In reply to comment #14) Erik, thanks. I tested it and saw a crash in 1.0.4 but must have executed the old version from the cache. fscking firefox cache. Checking in regress-299209.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-299209.js,v <-- regress-299209.js new revision: 1.3; previous revision: 1.2 done
Comment 16•19 years ago
|
||
really fixed this time. new revision: 1.4; previous revision: 1.3
Comment 17•19 years ago
|
||
this causes the following failures in the js test suite: ecma_3/Statements/regress-194364.js: sections 1, 3, 5, 7, 9 js1_5/Regress/regress-224956.js: section 29 was that intentional and the tests need to be changed?
Assignee | ||
Comment 18•19 years ago
|
||
(In reply to comment #17) > this causes the following failures in the js test suite: > > ecma_3/Statements/regress-194364.js: sections 1, 3, 5, 7, 9 > js1_5/Regress/regress-224956.js: section 29 > > was that intentional and the tests need to be changed? From ECMA-262 Edition 3, 12.4: 12.4 Expression Statement Syntax ExpressionStatement : [lookahead not in {{, function}] Expression ; Note that an ExpressionStatement cannot start with an opening curly brace because that might make it ambiguous with a Block. Also, an ExpressionStatement cannot start with the function keyword because that might make it ambiguous with a FunctionDeclaration. /be
Comment 19•19 years ago
|
||
Marking security sensitive because we have been sent a testcase that proves this is exploitable.
Group: security
Assignee | ||
Comment 20•19 years ago
|
||
Sauron (jackerror on IRC) contacted me last week about this bug, and worked hard to develop an exploit. I recommend he get a bug bounty for his work, and I would like to encourage him to file other security-sensitive bugs with bugzilla.mozilla.org as soon as possible, so he can claim priority and win more bounties. He asked that I include his wishes here: ----- begin quote ----- Brendan, Yes you can attach the exploitation.txt to the bug, Yes I have a bugzilla login (sauron@nerim.net). As I told to Daniel Veditz, I don't want the exploit to be made public at anytime, even when a fixed version of mozilla will be available. The bug take time to exploit because it is located in some part of the code one as to take the time to understand before being able to do anything. Probably nobody will code such an exploit and make it public, and I don't want mine to be made public, I hate to provide destructive tools to clueless people who will use it to annoy OpenSource users whose main purpose is not security. Anyway, please can you just put a note about this when attaching the file to the bug in the bugzilla ? Thanks -----end quote----- I'm not sure how to arrange to *never* disclose his exploit without never removing the security-sensitive flag from this bug, or else stripping this attachment via bugzilla database hacks behind the scenes, before removing the access restriction on this bug. I'll leave it to dveditz to negotiate a mutually satisfactory solution with sauron. /be
Comment 21•19 years ago
|
||
*** Bug 299816 has been marked as a duplicate of this bug. ***
Comment 22•19 years ago
|
||
Adding distributors
Updated•19 years ago
|
Whiteboard: [sg:fix]
Assignee | ||
Comment 23•19 years ago
|
||
*** Bug 300955 has been marked as a duplicate of this bug. ***
Assignee | ||
Updated•19 years ago
|
Whiteboard: [sg:fix] → [sg:fix] [scrub last attachment before disclosing]
Comment 24•19 years ago
|
||
Dan, Is there a reason there is no Mozilla Foundation Security advisory for this issue?
Assignee | ||
Comment 25•19 years ago
|
||
Josh: see the status whiteboard. /be
Do we need to open this bug to issue an advisory? We often embargo bug details, and say so in the advisory text.
Comment 27•19 years ago
|
||
Brendan, I understand we have to scrub the attachment, but it's not uncommon to release an MFSA without opening up the bug until a later date.
Comment 28•19 years ago
|
||
Additionally, this issue is CAN-2005-2114. MITRE has it classified as simply a DoS right now. When this issue goes public I'll make sure they update their description.
Assignee | ||
Comment 29•19 years ago
|
||
Josh: oh, sorry -- then dveditz should comment, since he updates the known vulnerabilities page. /be
Comment 30•19 years ago
|
||
Checking in ecma_3/Statements/regress-194364.js; /cvsroot/mozilla/js/tests/ecma_3/Statements/regress-194364.js,v <-- regress-194364.js new revision: 1.4; previous revision: 1.3 done Checking in js1_5/Regress/regress-224956.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-224956.js,v <-- regress-224956.js new revision: 1.7; previous revision: 1.6 done
Comment 31•19 years ago
|
||
Are there any plans to open this bug up to the public?
Comment 32•18 years ago
|
||
No. there should be no such plans. not without removing at least the attachment. comment 20 is perfectly clear on that point.
Updated•18 years ago
|
Group: security
Whiteboard: [sg:fix] [scrub last attachment before disclosing] → [sg:fix] scrub last attachment before disclosing, see comment 20
You need to log in
before you can comment on or make changes to this bug.
Description
•