XML.prototype.hasOwnProperty is exploitable (CVE-2006-5747)

VERIFIED FIXED

Status

()

defect
--
critical
VERIFIED FIXED
13 years ago
11 years ago

People

(Reporter: sync2d, Unassigned)

Tracking

({crash, verified1.8.0.8, verified1.8.1})

Trunk
Points:
---
Bug Flags:
blocking1.7.14 -
blocking-aviary1.0.9 -
blocking1.9 ?
blocking1.8.1 +
blocking1.8.0.8 +
in-testsuite +
in-litmus -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical] fixed by 355478)

Attachments

(2 attachments)

(Reporter)

Description

13 years ago
I had a proof of concept exploit for this vulnerability a month ago,
but it was lost due to HDD crash. bug 355478 have reminded me of it.

TB22649748Q
(Reporter)

Comment 1

13 years ago
Posted file testcase
Salvaged proof of concept exploit. works on:

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.0.8pre)
  Gecko/20061005 Firefox/1.5.0.8pre
TB24181017Q

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.8.1)
  Gecko/20061005 BonEcho/2.0
TB24181079Q

FIREFOX caused an exception 03H in
module unknown at 0000:12030108
Registers:
EAX=deadfeed CS=015f EIP=12030108 EFLGS=00000206
EBX=deadfeed SS=0167 ESP=00d8ec00 EBP=00d8ec20
ECX=deadfeed DS=0167 ESI=1203008c FS=1987
EDX=deadfeed ES=0167 EDI=12030084 GS=0000
Bytes at CS:EIP:
90 90 90 90 90 90 90 90 90 90 90 90 90 90 90 90
Stack dump:
6013c26d 02adfc00 12030084 00000003 12030084 00000000 02adfc00 1203008c
00d8ec5c 60113000 02adfc00 12030084 00000003 00d8eca8 12030010 00d8ecc0
Flags: blocking1.9?
Flags: blocking1.8.1.1?
Flags: blocking1.8.0.9?
Marking this bug blocking; patch is in bug 355478.

/be
Flags: blocking1.8.1?
Flags: blocking1.8.0.8?
Whiteboard: [sg:critical]
Blocking for Fx2 RC3
Flags: blocking1.8.1? → blocking1.8.1+
Cover bug is fixed on the 1.8 branch.

/be
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED

Comment 5

13 years ago
couldn't reproduce the crash, so verification will not have much meaning. shutdown, can you please test in trunk and 1.8 and marked verified? thanks.

Updated

13 years ago
Flags: in-testsuite+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.8?
Flags: blocking1.8.0.8+

Comment 6

13 years ago
no crash with 20061009 1.8 windows/linux/mac* 1.9 windows/linux on e4x/Regress/regress-355569.js, but since I couldn't initially reproduce am not verifying.
Whiteboard: [sg:critical] → [sg:critical] fixed by 355478
bug 355478 has been checked into the 1.8.0 branch
Keywords: fixed1.8.0.8
(Reporter)

Comment 8

13 years ago
20061016 trunk/1.8/1.8.0: verifying with shorter testcase.
javascript: <x/>.function::hasOwnProperty.call(new Number(0x50505050>>1));
Status: RESOLVED → VERIFIED
Not applicable to the aviary/moz1.7 branch
Flags: blocking1.7.14-
Flags: blocking-aviary1.0.9-
This has been assigned CVE-2006-5747
Summary: XML.prototype.hasOwnProperty is exploitable → XML.prototype.hasOwnProperty is exploitable (CVE-2006-5747)
Flags: blocking1.8.1.1?
Group: core-security

Comment 11

11 years ago
/cvsroot/mozilla/js/tests/e4x/Regress/regress-355569.js,v  <--  regress-355569.js
initial revision: 1.1
Flags: in-litmus-
You need to log in before you can comment on or make changes to this bug.