Bug 320182 (ZDI-CAN-008)

Mozilla Firefox Tag Order Vulnerability (ZDI-06-009, CVE-2006-0749 )

RESOLVED FIXED

Status

()

defect
--
critical
RESOLVED FIXED
14 years ago
12 years ago

People

(Reporter: dveditz, Assigned: dveditz)

Tracking

({crash, verified1.7.13})

1.7 Branch
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.7.13 +
blocking-aviary1.0.8 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical] ff1.0.x/moz1.7.x only)

Attachments

(3 attachments)

Assignee

Description

14 years ago
ZDI-CAN-008: Mozilla Firefox Tag Order Vulnerability

-- ABSTRACT ------------------------------------------------------------

There exists a remotely exploitable code execution vulnerability Mozilla
Firefox related to the order tags appear in an HTML document.

This can be exploited by any website offering html content.

Verified on:

    Firefox 1.0.7 for Windows XP (SP2)

Assumed vulnerabled on:

    All versions of Firefox for Windows

-- VULNERABILITY DETAILS -----------------------------------------------

When certain tags appear in order, an exploitable memory corruption
condition occurs in Firefox allowing an attacker to arbitrarily control
the instruction flow. An example tag pattern:

    <TABLE><xxx><TH><FRAMESET><PARAM><MAP><P><TABLE>xxx

In the above snippet, "xxx" may be replaced with any arbitrary data and
the bug will still take place. Furthermore, certain tags such as the <P>
tag can be replaced with other tags. Tag attributes do not appear to
affect the issue either. To reproduce the issue try embedding a file
containing the above snippet within an IFRAME of another page. The issue
is manifested at the following instructions within firefox.exe:

    005B249D    MOV ECX, DWORD PTR DS:[EAX]
    005B249F    CALL DWORD PTR DS[ECX+4]

It is possible to control the EAX value, which is read off of the stack,
through multiple calls to the JavaScript document.write() routine
function document.write("value") and then opening the exploiting HTML in
an IFRAME.

The relevant vulnerable code within firefox may be found at
./content/html/document/src/nsHTMLContentSink.cpp:1151:

    NS_ADDREF(aRoot);
    aRoot is not initialised and NS_ADDREF is defined so:
        #define NS_ADDREF(_ptr) \
              (_ptr)->AddRef()

-- CREDIT --------------------------------------------------------------

This vulnerability was discovered by:

    An anonymous ZDI researcher=
Assignee

Comment 1

14 years ago
This appears to have been fixed by bug 269095. It will also require the regression fix for bug 286733
Alias: ZDI-CAN-008
Component: Security → Security
Depends on: 269095, 286733
Flags: blocking-aviary1.0.8+
Product: Firefox → Core
Whiteboard: [sg:critical] ff1.0.x/moz1.7.x only
Assignee

Updated

14 years ago
Component: Security → HTML: Parser
Assignee

Updated

14 years ago
Flags: blocking1.7.13+
Version: 1.0 Branch → 1.7 Branch
Assignee

Comment 2

14 years ago
*** Bug 320463 has been marked as a duplicate of this bug. ***
Assignee

Comment 3

14 years ago
Attachment #210781 - Flags: approval1.7.13+
Attachment #210781 - Flags: approval-aviary1.0.8+
Assignee

Updated

14 years ago
Assignee

Comment 4

14 years ago
Backported fix checked into the 1.7 and aviary1.0.1 branches
Status: NEW → RESOLVED
Last Resolved: 14 years ago
Resolution: --- → FIXED
Dan, I've verified 286733 doesn't crash. But this bug has no testcase.  can you provide one?

Comment 6

14 years ago
Posted file test-iframe.html

Comment 7

14 years ago
Posted file test.html

Comment 8

14 years ago
test crashes Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7, but not Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060213 Firefox/1.0.8

Updated

13 years ago
Flags: testcase+

Updated

13 years ago
Summary: Mozilla Firefox Tag Order Vulnerability (ZDI-CAN-008) → CVE-2006-0749 Mozilla Firefox Tag Order Vulnerability (ZDI-CAN-008)
Assignee

Updated

13 years ago
Summary: CVE-2006-0749 Mozilla Firefox Tag Order Vulnerability (ZDI-CAN-008) → Mozilla Firefox Tag Order Vulnerability (ZDI-CAN-008, CVE-2006-0749 )
Assignee

Updated

13 years ago
Summary: Mozilla Firefox Tag Order Vulnerability (ZDI-CAN-008, CVE-2006-0749 ) → Mozilla Firefox Tag Order Vulnerability (ZDI-06-009, CVE-2006-0749 )
Assignee

Updated

13 years ago
Group: security

Updated

12 years ago
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.