XML.prototype.hasOwnProperty is exploitable (CVE-2006-5747)

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
11 years ago
9 years ago

People

(Reporter: shutdown, Unassigned)

Tracking

({crash, verified1.8.0.8, verified1.8.1})

Trunk
crash, verified1.8.0.8, verified1.8.1
Points:
---
Bug Flags:
blocking1.7.14 -
blocking-aviary1.0.9 -
blocking1.9 ?
blocking1.8.1 +
blocking1.8.0.8 +
in-testsuite +
in-litmus -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical] fixed by 355478)

Attachments

(2 attachments)

(Reporter)

Description

11 years ago
I had a proof of concept exploit for this vulnerability a month ago,
but it was lost due to HDD crash. bug 355478 have reminded me of it.

TB22649748Q
(Reporter)

Comment 1

11 years ago
Created attachment 241357 [details]
testcase

Salvaged proof of concept exploit. works on:

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.8pre)
  Gecko/20061005 Firefox/1.5.0.8pre
TB24181017Q

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1)
  Gecko/20061005 BonEcho/2.0
TB24181079Q

FIREFOX caused an exception 03H in
module unknown at 0000:12030108
Registers:
EAX=deadfeed CS=015f EIP=12030108 EFLGS=00000206
EBX=deadfeed SS=0167 ESP=00d8ec00 EBP=00d8ec20
ECX=deadfeed DS=0167 ESI=1203008c FS=1987
EDX=deadfeed ES=0167 EDI=12030084 GS=0000
Bytes at CS:EIP:
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
Stack dump:
6013c26d 02adfc00 12030084 00000003 12030084 00000000 02adfc00 1203008c
00d8ec5c 60113000 02adfc00 12030084 00000003 00d8eca8 12030010 00d8ecc0
Flags: blocking1.9?
Flags: blocking1.8.1.1?
Flags: blocking1.8.0.9?
Marking this bug blocking; patch is in bug 355478.

/be
Flags: blocking1.8.1?
Flags: blocking1.8.0.8?
Whiteboard: [sg:critical]
Blocking for Fx2 RC3
Flags: blocking1.8.1? → blocking1.8.1+
Cover bug is fixed on the 1.8 branch.

/be
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED

Comment 5

11 years ago
Created attachment 241706 [details]
e4x/Regress/regress-355569.js

couldn't reproduce the crash, so verification will not have much meaning. shutdown, can you please test in trunk and 1.8 and marked verified? thanks.

Updated

11 years ago
Flags: in-testsuite+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.8?
Flags: blocking1.8.0.8+

Comment 6

11 years ago
no crash with 20061009 1.8 windows/linux/mac* 1.9 windows/linux on e4x/Regress/regress-355569.js, but since I couldn't initially reproduce am not verifying.
Whiteboard: [sg:critical] → [sg:critical] fixed by 355478
bug 355478 has been checked into the 1.8.0 branch
Keywords: fixed1.8.0.8
(Reporter)

Comment 8

11 years ago
20061016 trunk/1.8/1.8.0: verifying with shorter testcase.
javascript: <x/>.function::hasOwnProperty.call(new Number(0x50505050>>1));
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.8, fixed1.8.1 → verified1.8.0.8, verified1.8.1
Not applicable to the aviary/moz1.7 branch
Flags: blocking1.7.14-
Flags: blocking-aviary1.0.9-
This has been assigned CVE-2006-5747
Summary: XML.prototype.hasOwnProperty is exploitable → XML.prototype.hasOwnProperty is exploitable (CVE-2006-5747)
Flags: blocking1.8.1.1?
Group: core-security

Comment 11

9 years ago
/cvsroot/mozilla/js/tests/e4x/Regress/regress-355569.js,v  <--  regress-355569.js
initial revision: 1.1
Flags: in-litmus-

Comment 12

9 years ago
http://hg.mozilla.org/mozilla-central/rev/f0e9fd501e63
You need to log in before you can comment on or make changes to this bug.