320182 - (ZDI-CAN-008) Mozilla Firefox Tag Order Vulnerability (ZDI-06-009, CVE-2006-0749 )

Status: RESOLVED FIXED

(Core :: DOM: HTML Parser, defect)

Description

[Daniel Veditz [:dveditz]]

ZDI-CAN-008: Mozilla Firefox Tag Order Vulnerability

-- ABSTRACT ------------------------------------------------------------

There exists a remotely exploitable code execution vulnerability Mozilla
Firefox related to the order tags appear in an HTML document.

This can be exploited by any website offering html content.

Verified on:

    Firefox 1.0.7 for Windows XP (SP2)

Assumed vulnerabled on:

    All versions of Firefox for Windows

-- VULNERABILITY DETAILS -----------------------------------------------

When certain tags appear in order, an exploitable memory corruption
condition occurs in Firefox allowing an attacker to arbitrarily control
the instruction flow. An example tag pattern:

    <TABLE><xxx><TH><FRAMESET><PARAM><MAP><P><TABLE>xxx

In the above snippet, "xxx" may be replaced with any arbitrary data and
the bug will still take place. Furthermore, certain tags such as the <P>
tag can be replaced with other tags. Tag attributes do not appear to
affect the issue either. To reproduce the issue try embedding a file
containing the above snippet within an IFRAME of another page. The issue
is manifested at the following instructions within firefox.exe:

    005B249D    MOV ECX, DWORD PTR DS:[EAX]
    005B249F    CALL DWORD PTR DS[ECX+4]

It is possible to control the EAX value, which is read off of the stack,
through multiple calls to the JavaScript document.write() routine
function document.write("value") and then opening the exploiting HTML in
an IFRAME.

The relevant vulnerable code within firefox may be found at
./content/html/document/src/nsHTMLContentSink.cpp:1151:

    NS_ADDREF(aRoot);
    aRoot is not initialised and NS_ADDREF is defined so:
        #define NS_ADDREF(_ptr) \
              (_ptr)->AddRef()

-- CREDIT --------------------------------------------------------------

This vulnerability was discovered by:

    An anonymous ZDI researcher=

Comment 1

[Daniel Veditz [:dveditz]]

This appears to have been fixed by bug 269095. It will also require the regression fix for bug 286733

Comment 2

[Daniel Veditz [:dveditz]]

*** Bug 320463 has been marked as a duplicate of this bug. ***

Comment 3

[Daniel Veditz [:dveditz]]

Attachment: backport of fixes from 269095,286733

Comment 4

[Daniel Veditz [:dveditz]]

Backported fix checked into the 1.7 and aviary1.0.1 branches

Comment 5

[Tracy Walker [:tracy]]

Dan, I've verified 286733 doesn't crash. But this bug has no testcase.  can you provide one?

Comment 6

[Bob Clary [:bc] (inactive)]

Attachment: test-iframe.html

Comment 7

[Bob Clary [:bc] (inactive)]

Attachment: test.html

Comment 8

[Bob Clary [:bc] (inactive)]

test crashes Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7, but not Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060213 Firefox/1.0.8