Last Comment Bug 320182 - (ZDI-CAN-008) Mozilla Firefox Tag Order Vulnerability (ZDI-06-009, CVE-2006-0749 )
: Mozilla Firefox Tag Order Vulnerability (ZDI-06-009, CVE-2006-0749 )
[sg:critical] ff1.0.x/moz1.7.x only
: crash, verified1.7.13
Product: Core
Classification: Components
Component: HTML: Parser (show other bugs)
: 1.7 Branch
: All All
: -- critical (vote)
: ---
Assigned To: Daniel Veditz [:dveditz]
: Andrew Overholt [:overholt]
: 320463 (view as bug list)
Depends on: 269095 286733
  Show dependency treegraph
Reported: 2005-12-13 16:04 PST by Daniel Veditz [:dveditz]
Modified: 2007-04-01 15:32 PDT (History)
3 users (show)
dveditz: blocking1.7.13+
dveditz: blocking‑aviary1.0.8+
bob: in‑testsuite?
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

backport of fixes from 269095,286733 (4.65 KB, patch)
2006-02-05 10:19 PST, Daniel Veditz [:dveditz]
dveditz: approval‑aviary1.0.8+
dveditz: approval1.7.13+
Details | Diff | Splinter Review
test-iframe.html (52 bytes, text/html)
2006-02-14 13:36 PST, Bob Clary [:bc:]
no flags Details
test.html (264 bytes, text/html)
2006-02-14 13:37 PST, Bob Clary [:bc:]
no flags Details

Description Daniel Veditz [:dveditz] 2005-12-13 16:04:28 PST
ZDI-CAN-008: Mozilla Firefox Tag Order Vulnerability

-- ABSTRACT ------------------------------------------------------------

There exists a remotely exploitable code execution vulnerability Mozilla
Firefox related to the order tags appear in an HTML document.

This can be exploited by any website offering html content.

Verified on:

    Firefox 1.0.7 for Windows XP (SP2)

Assumed vulnerabled on:

    All versions of Firefox for Windows

-- VULNERABILITY DETAILS -----------------------------------------------

When certain tags appear in order, an exploitable memory corruption
condition occurs in Firefox allowing an attacker to arbitrarily control
the instruction flow. An example tag pattern:


In the above snippet, "xxx" may be replaced with any arbitrary data and
the bug will still take place. Furthermore, certain tags such as the <P>
tag can be replaced with other tags. Tag attributes do not appear to
affect the issue either. To reproduce the issue try embedding a file
containing the above snippet within an IFRAME of another page. The issue
is manifested at the following instructions within firefox.exe:

    005B249D    MOV ECX, DWORD PTR DS:[EAX]
    005B249F    CALL DWORD PTR DS[ECX+4]

It is possible to control the EAX value, which is read off of the stack,
through multiple calls to the JavaScript document.write() routine
function document.write("value") and then opening the exploiting HTML in

The relevant vulnerable code within firefox may be found at

    aRoot is not initialised and NS_ADDREF is defined so:
        #define NS_ADDREF(_ptr) \

-- CREDIT --------------------------------------------------------------

This vulnerability was discovered by:

    An anonymous ZDI researcher=
Comment 1 Daniel Veditz [:dveditz] 2005-12-13 16:30:50 PST
This appears to have been fixed by bug 269095. It will also require the regression fix for bug 286733
Comment 2 Daniel Veditz [:dveditz] 2005-12-18 22:37:13 PST
*** Bug 320463 has been marked as a duplicate of this bug. ***
Comment 3 Daniel Veditz [:dveditz] 2006-02-05 10:19:12 PST
Created attachment 210781 [details] [diff] [review]
backport of fixes from 269095,286733
Comment 4 Daniel Veditz [:dveditz] 2006-02-05 12:43:23 PST
Backported fix checked into the 1.7 and aviary1.0.1 branches
Comment 5 Tracy Walker [:tracy] 2006-02-14 13:06:57 PST
Dan, I've verified 286733 doesn't crash. But this bug has no testcase.  can you provide one?
Comment 6 Bob Clary [:bc:] 2006-02-14 13:36:42 PST
Created attachment 211895 [details]
Comment 7 Bob Clary [:bc:] 2006-02-14 13:37:44 PST
Created attachment 211896 [details]
Comment 8 Bob Clary [:bc:] 2006-02-14 13:39:19 PST
test crashes Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7, but not Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060213 Firefox/1.0.8

Note You need to log in before you can comment on or make changes to this bug.