Closed Bug 320182 (ZDI-CAN-008) Opened 19 years ago Closed 18 years ago

Mozilla Firefox Tag Order Vulnerability (ZDI-06-009, CVE-2006-0749 )

Categories

(Core :: DOM: HTML Parser, defect)

1.7 Branch
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: dveditz, Assigned: dveditz)

References

Details

(Keywords: crash, verified1.7.13, Whiteboard: [sg:critical] ff1.0.x/moz1.7.x only)

Attachments

(3 files)

ZDI-CAN-008: Mozilla Firefox Tag Order Vulnerability

-- ABSTRACT ------------------------------------------------------------

There exists a remotely exploitable code execution vulnerability Mozilla
Firefox related to the order tags appear in an HTML document.

This can be exploited by any website offering html content.

Verified on:

    Firefox 1.0.7 for Windows XP (SP2)

Assumed vulnerabled on:

    All versions of Firefox for Windows

-- VULNERABILITY DETAILS -----------------------------------------------

When certain tags appear in order, an exploitable memory corruption
condition occurs in Firefox allowing an attacker to arbitrarily control
the instruction flow. An example tag pattern:

    <TABLE><xxx><TH><FRAMESET><PARAM><MAP><P><TABLE>xxx

In the above snippet, "xxx" may be replaced with any arbitrary data and
the bug will still take place. Furthermore, certain tags such as the <P>
tag can be replaced with other tags. Tag attributes do not appear to
affect the issue either. To reproduce the issue try embedding a file
containing the above snippet within an IFRAME of another page. The issue
is manifested at the following instructions within firefox.exe:

    005B249D    MOV ECX, DWORD PTR DS:[EAX]
    005B249F    CALL DWORD PTR DS[ECX+4]

It is possible to control the EAX value, which is read off of the stack,
through multiple calls to the JavaScript document.write() routine
function document.write("value") and then opening the exploiting HTML in
an IFRAME.

The relevant vulnerable code within firefox may be found at
./content/html/document/src/nsHTMLContentSink.cpp:1151:

    NS_ADDREF(aRoot);
    aRoot is not initialised and NS_ADDREF is defined so:
        #define NS_ADDREF(_ptr) \
              (_ptr)->AddRef()

-- CREDIT --------------------------------------------------------------

This vulnerability was discovered by:

    An anonymous ZDI researcher=
This appears to have been fixed by bug 269095. It will also require the regression fix for bug 286733
Alias: ZDI-CAN-008
Depends on: 269095, 286733
Flags: blocking-aviary1.0.8+
Product: Firefox → Core
Whiteboard: [sg:critical] ff1.0.x/moz1.7.x only
Component: Security → HTML: Parser
Flags: blocking1.7.13+
Version: 1.0 Branch → 1.7 Branch
*** Bug 320463 has been marked as a duplicate of this bug. ***
Attachment #210781 - Flags: approval1.7.13+
Attachment #210781 - Flags: approval-aviary1.0.8+
Backported fix checked into the 1.7 and aviary1.0.1 branches
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Dan, I've verified 286733 doesn't crash. But this bug has no testcase.  can you provide one?
Attached file test.html
test crashes Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7, but not Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060213 Firefox/1.0.8
Flags: testcase+
Summary: Mozilla Firefox Tag Order Vulnerability (ZDI-CAN-008) → CVE-2006-0749 Mozilla Firefox Tag Order Vulnerability (ZDI-CAN-008)
Summary: CVE-2006-0749 Mozilla Firefox Tag Order Vulnerability (ZDI-CAN-008) → Mozilla Firefox Tag Order Vulnerability (ZDI-CAN-008, CVE-2006-0749 )
Summary: Mozilla Firefox Tag Order Vulnerability (ZDI-CAN-008, CVE-2006-0749 ) → Mozilla Firefox Tag Order Vulnerability (ZDI-06-009, CVE-2006-0749 )
Group: security
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: