Bug 320182 (ZDI-CAN-008)

Mozilla Firefox Tag Order Vulnerability (ZDI-06-009, CVE-2006-0749 )

RESOLVED FIXED

Status

()

Core
HTML: Parser
--
critical
RESOLVED FIXED
12 years ago
10 years ago

People

(Reporter: dveditz, Assigned: dveditz)

Tracking

({crash, verified1.7.13})

1.7 Branch
crash, verified1.7.13
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.7.13 +
blocking-aviary1.0.8 +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical] ff1.0.x/moz1.7.x only)

Attachments

(3 attachments)

(Assignee)

Description

12 years ago
ZDI-CAN-008: Mozilla Firefox Tag Order Vulnerability

-- ABSTRACT ------------------------------------------------------------

There exists a remotely exploitable code execution vulnerability Mozilla
Firefox related to the order tags appear in an HTML document.

This can be exploited by any website offering html content.

Verified on:

    Firefox 1.0.7 for Windows XP (SP2)

Assumed vulnerabled on:

    All versions of Firefox for Windows

-- VULNERABILITY DETAILS -----------------------------------------------

When certain tags appear in order, an exploitable memory corruption
condition occurs in Firefox allowing an attacker to arbitrarily control
the instruction flow. An example tag pattern:

    <TABLE><xxx><TH><FRAMESET><PARAM><MAP><P><TABLE>xxx

In the above snippet, "xxx" may be replaced with any arbitrary data and
the bug will still take place. Furthermore, certain tags such as the <P>
tag can be replaced with other tags. Tag attributes do not appear to
affect the issue either. To reproduce the issue try embedding a file
containing the above snippet within an IFRAME of another page. The issue
is manifested at the following instructions within firefox.exe:

    005B249D    MOV ECX, DWORD PTR DS:[EAX]
    005B249F    CALL DWORD PTR DS[ECX+4]

It is possible to control the EAX value, which is read off of the stack,
through multiple calls to the JavaScript document.write() routine
function document.write("value") and then opening the exploiting HTML in
an IFRAME.

The relevant vulnerable code within firefox may be found at
./content/html/document/src/nsHTMLContentSink.cpp:1151:

    NS_ADDREF(aRoot);
    aRoot is not initialised and NS_ADDREF is defined so:
        #define NS_ADDREF(_ptr) \
              (_ptr)->AddRef()

-- CREDIT --------------------------------------------------------------

This vulnerability was discovered by:

    An anonymous ZDI researcher=
(Assignee)

Comment 1

12 years ago
This appears to have been fixed by bug 269095. It will also require the regression fix for bug 286733
Alias: ZDI-CAN-008
Component: Security → Security
Depends on: 269095, 286733
Flags: blocking-aviary1.0.8+
Product: Firefox → Core
Whiteboard: [sg:critical] ff1.0.x/moz1.7.x only
(Assignee)

Updated

12 years ago
Component: Security → HTML: Parser
(Assignee)

Updated

12 years ago
Flags: blocking1.7.13+

Updated

12 years ago
Version: 1.0 Branch → 1.7 Branch
(Assignee)

Comment 2

12 years ago
*** Bug 320463 has been marked as a duplicate of this bug. ***
(Assignee)

Comment 3

11 years ago
Created attachment 210781 [details] [diff] [review]
backport of fixes from 269095,286733
Attachment #210781 - Flags: approval1.7.13+
Attachment #210781 - Flags: approval-aviary1.0.8+
(Assignee)

Updated

11 years ago
Keywords: fixed-aviary1.0.8, fixed1.7.13
(Assignee)

Comment 4

11 years ago
Backported fix checked into the 1.7 and aviary1.0.1 branches
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → FIXED

Comment 5

11 years ago
Dan, I've verified 286733 doesn't crash. But this bug has no testcase.  can you provide one?
Keywords: fixed-aviary1.0.8, fixed1.7.13 → verified-aviary1.0.8, verified1.7.13

Comment 6

11 years ago
Created attachment 211895 [details]
test-iframe.html

Comment 7

11 years ago
Created attachment 211896 [details]
test.html

Comment 8

11 years ago
test crashes Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7, but not Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.13) Gecko/20060213 Firefox/1.0.8

Updated

11 years ago
Flags: testcase+

Updated

11 years ago
Summary: Mozilla Firefox Tag Order Vulnerability (ZDI-CAN-008) → CVE-2006-0749 Mozilla Firefox Tag Order Vulnerability (ZDI-CAN-008)
(Assignee)

Updated

11 years ago
Summary: CVE-2006-0749 Mozilla Firefox Tag Order Vulnerability (ZDI-CAN-008) → Mozilla Firefox Tag Order Vulnerability (ZDI-CAN-008, CVE-2006-0749 )
(Assignee)

Updated

11 years ago
Summary: Mozilla Firefox Tag Order Vulnerability (ZDI-CAN-008, CVE-2006-0749 ) → Mozilla Firefox Tag Order Vulnerability (ZDI-06-009, CVE-2006-0749 )
(Assignee)

Updated

11 years ago
Group: security

Updated

10 years ago
Flags: in-testsuite+ → in-testsuite?
You need to log in before you can comment on or make changes to this bug.