Closed
Bug 395054
Opened 17 years ago
Closed 17 years ago
Crashes on test for Sun Java Plugin security on the site scanit.de [@ jpinscp.dll@0xcf15]
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 405357
People
(Reporter: whitewolfpro, Unassigned)
References
()
Details
(Keywords: crash, regression)
Crash Data
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a8pre) Gecko/2007090504 Minefield/3.0a8pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a8pre) Gecko/2007090504 Minefield/3.0a8pre
I ran every security test they had and everything is fine with this overnight version of a8pre.
The site that makes firefox to crash is:
http://bcheck.scanit.be/bcheck/session/sid-ba6bf5926cb3a11554ef3ddbca39cd96/main-frames.php?tests[]=idef20041123
It testes a security vulnerability with Sun Java Plugin... So I'm not sure if it has something to do with the security issue or it just crashes I don't know.
Reproducible: Always
Steps to Reproduce:
1. Start again the browser.
2. Then go to the homepage http://bcheck.scanit.be/bcheck/
3. Select the link "Choose which tests to run" right under "Start the test".
4. Choose number 7 which is the "Sun Java Plugin Arbitrary Package Access Vulnerability / Opera Java Vulnerability (idef20041123)" test.
5. Then just push the button at the bottom of the page to start the test.
6. Now it should crash when the page has loaded.
Actual Results:
It crashes and then firefox shows a little report window that it crashed and you can view some info but to little and you can close the window or restart firefox.
Expected Results:
Well it wouldn't had to crash :p
I just wont to point one thing that might be little bit off topic.
When the window comes up with the restart firefox button after that the firefox has crashed. I would like to have that window improved with like:
Advanced information on the crash, like se the memory addresses and files that made the crash and etc.
And then there should be a button so that you could report the crash imideatly to you guys here or to the development team.
Comment 1•17 years ago
|
||
When you go to Application Data, Mozilla, Firefox, you'll see a folder Crash Reports. There you can find a link that you can copy to this bug.
Comment 2•17 years ago
|
||
It is a regression on 6 Aug, presumably from Bug 390385.
Blocks: 390385
Keywords: regression
Okey, I think I found the link on two files that I had in that the folder Submitted:
http://crash-stats.mozilla.com/report/index/38aee657-5bd7-11dc-abf1-001a4bd43ef6?date=2007-09-05-17
Updated•17 years ago
|
Severity: normal → critical
Keywords: crash
Summary: Crashes on test for Sun Java Plugin security on the site scanit.de → Crashes on test for Sun Java Plugin security on the site scanit.de [@ jpinscp.dll@0xcf15]
The site that makes firefox to crash is:
http://bcheck.scanit.be/bcheck/session/sid-ba6bf5926cb3a11554ef3ddbca39cd96/main-frames.php?tests[]=idef20041123
Yes. I can confirm crash.
I cannot confirm crash on test #7 at http://bcheck.scanit.be/bcheck/ in the Steps To Reproduce.
> I cannot confirm crash on test #7 at http://bcheck.scanit.be/bcheck/ in the
> Steps To Reproduce.
>
Yes, I know it don't crash at the site http://bcheck.scanit.be/bcheck/ but if you read how to get to the site where it crashes.
Read the whole "Steps to Reproduce"...
Now I think I have found the code for the applet that causes the crash:
http://bcheck.scanit.be/bcheck/session/sid-ba6bf5926cb3a11554ef3ddbca39cd96/Idef20041123.class
And the script:
<applet name="Dummy" code="Idef20041123.class">
</applet>
<script language="JavaScript" defer>
function vulnerable() {window.open('http://bcheck.scanit.be:80/bcheck/session/sid-ba6bf5926cb3a11554ef3ddbca39cd96/accresults.php?&testid=idef20041123&vulnerable=yes','testframe1');};function notvulnerable() {window.open('http://bcheck.scanit.be:80/bcheck/session/sid-ba6bf5926cb3a11554ef3ddbca39cd96/accresults.php?&testid=idef20041123&vulnerable=no','testframe1');};
wait_applet();
// Here we are trying to detect two different vulnerablities -
// one in Sun Java Plugin before 1.4.2_06 () and another one
// in Opera before 2.54u1. Both allow loading of sun.* Java
// classes
// Unpatched Sun Java throws a Java exception inside the Java class
// and does not throw JavaScript exception when we call forName()
// Patched Sun Java throws exceptions in both cases
// Unpatched Opera does not throw exception inside the Java class
// Patched Opera does not throw exception inside the Java class and
// does not throw the exception in JavaScript
// Thus it is difficult to distinguish patched Opera from unpatched
// everything else. We check the return value of forName()
// Patched Opera returns null, unpatched everything else returns an
// object
function wait_applet() {
try {
var applet_class = document.applets[0].getClass();
if(applet_class) {
// Check for vulnerable Opera
if(document.applets[0].vulnerableOpera() == 1) {
vulnerable();
return;
}
try {
var private_class = applet_class.forName('sun.text.Utility')
if(private_class == null) {
// This is probably patched Opera
notvulnerable();
} else {
// Unpatched Java Plugin
vulnerable();
}
} catch (e) {
notvulnerable();
}
} else {
setTimeout("wait_applet()", 500);
}
} catch (e) {
setTimeout("wait_applet()", 500);
}
}
</script>
Hopefully this is for some help.
Comment 7•17 years ago
|
||
(In reply to comment #6)
> Now I think I have found the code for the applet that causes the crash:
...
> <script language="JavaScript" defer>
>
> function vulnerable()
> {window.open('http://bcheck.scanit.be:80/bcheck/session/sid-ba6bf5926cb3a11554ef3ddbca39cd96/accresults.php?&testid=idef20041123&vulnerable=yes','testframe1');};function
> notvulnerable()
> {window.open('http://bcheck.scanit.be:80/bcheck/session/sid-ba6bf5926cb3a11554ef3ddbca39cd96/accresults.php?&testid=idef20041123&vulnerable=no','testframe1');};
> wait_applet();
>
> // Here we are trying to detect two different vulnerablities -
> // one in Sun Java Plugin before 1.4.2_06 ()
...
> Hopefully this is for some help.
Which version of Java are you running?
http://www.heise-security.co.uk/services/browsercheck/tests/java.shtml
This test page shows if java is enabled, you can try working a rubik's cube, and it tells you which version of Java you are running.
or type about:plugins into the location bar to see the versions of your plug-ins:
Java(TM) Platform SE 6 U2
File name: ....
Java Plug-in 1.6.0_02 for Netscape Navigator (DLL Helper)
> Which version of Java are you running?
>
The Java plugin version I had before was:
Java Plug-in 1.6.0 for Netscape Navigator (DLL Helper)
And so I thought on upgrading the Java version to update 2 that was available for download.
SO now I have:
Java Plug-in 1.6.0_02 for Netscape Navigator (DLL Helper)
But FireFox still crashes on this page:
http://bcheck.scanit.be/bcheck/session/sid-ba6bf5926cb3a11554ef3ddbca39cd96/main-frames.php?tests[]=idef20041123
Comment 9•17 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a8pre) Gecko/2007091823 Minefield/3.0a8pre
Test 7 still crashing with the latest Java version. If automatic updating is enabled (I believe this is by default), you have always the latest. Don't know if this bug is something that should be repaired in Java or in Firefox. Fact is that the fix of bug 390385 started to trigger this crash.
Updated•17 years ago
|
Flags: blocking-firefox3?
Reporter | ||
Comment 10•17 years ago
|
||
(In reply to comment #9)
> Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a8pre) Gecko/2007091823
> Minefield/3.0a8pre
> Test 7 still crashing with the latest Java version. If automatic updating is
> enabled (I believe this is by default), you have always the latest. Don't know
> if this bug is something that should be repaired in Java or in Firefox. Fact is
> that the fix of bug 390385 started to trigger this crash.
>
Well I have tested on the Internet Explorer 7.0.5730.11 and it worked fine with Java version 1.6.0 and 1.6.0_02. So I think there might be a small chance that the Java engine might be working wrongly with Firefox. But it might be a good thing to ask Sun Microsystems if they could take a look at it at least.
Updated•17 years ago
|
Component: Security → Plug-ins
Flags: blocking-firefox3?
Product: Firefox → Core
QA Contact: firefox → plugins
Updated•17 years ago
|
Version: unspecified → Trunk
Reporter | ||
Comment 11•17 years ago
|
||
The old url has stopped working so I'm posting the new url for the bug/vurlnerability issue:
http://bcheck.scanit.be/old-bcheck/session/sid-b70743f9c163ef889c507d9031afe640/main-frames.php?tests%5B%5D=idef20041123
And FireFox still crashes on this coding. I haven't found any solution to it yet thought. :/
Error report detail:
Add-ons: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0pre
BuildID: 2008041005
CrashTime: 1207861574
InstallTime: 1207858265
ProductName: Firefox
SecondsSinceLastCrash: 997986
StartupTime: 1207861550
Theme: classic/1.0
URL: http://bcheck.scanit.be/old-bcheck/session/sid-b70743f9c163ef889c507d9031afe640/main-frames.php?tests%5B%5D=idef20041123
UserID: 11f0f248-06a0-40d5-9beb-e535932c5b8a
Vendor: Mozilla
Version: 3.0pre
Reporter | ||
Comment 12•17 years ago
|
||
Oh and I forgot to give the class file a new url: http://bcheck.scanit.be/old-bcheck/session/sid-b70743f9c163ef889c507d9031afe640/Idef20041123.class
(In reply to comment #11)
> The old url has stopped working so I'm posting the new url for the
> bug/vurlnerability issue:
>
> http://bcheck.scanit.be/old-bcheck/session/sid-b70743f9c163ef889c507d9031afe640/main-frames.php?tests%5B%5D=idef20041123
>
> And FireFox still crashes on this coding. I haven't found any solution to it
> yet thought. :/
>
>
> Error report detail:
> Add-ons: {972ce4c6-7e08-4474-a285-3208198ce6fd}:3.0pre
> BuildID: 2008041005
> CrashTime: 1207861574
> InstallTime: 1207858265
> ProductName: Firefox
> SecondsSinceLastCrash: 997986
> StartupTime: 1207861550
> Theme: classic/1.0
> URL:
> http://bcheck.scanit.be/old-bcheck/session/sid-b70743f9c163ef889c507d9031afe640/main-frames.php?tests%5B%5D=idef20041123
> UserID: 11f0f248-06a0-40d5-9beb-e535932c5b8a
> Vendor: Mozilla
> Version: 3.0pre
>
Comment 13•17 years ago
|
||
reporter: please load about:crashes, and copy the report id here. the information crash reporter shows you is not useful for us.
Reporter | ||
Comment 14•17 years ago
|
||
(In reply to comment #13)
> reporter: please load about:crashes, and copy the report id here. the
> information crash reporter shows you is not useful for us.
>
Here's the url:
http://crash-stats.mozilla.com/report/pending/c73f87b3-07db-11dd-bbf9-0013211cbf8a
Reporter | ||
Comment 15•17 years ago
|
||
I did a debug on the crash and here's the result of it from WinDbg:
CommandLine: C:\Program\Minefield2\firefox.exe
Symbol search path is: C:\symbols;SRV*c:\symbols*http://symbols.mozilla.org/firefox;SRV*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 00417000 firefox.exe
ModLoad: 7c900000 7c9b2000 ntdll.dll
ModLoad: 7c800000 7c8f9000 C:\WINDOWS\system32\kernel32.dll
ModLoad: 60490000 60dd7000 C:\Program\Minefield2\xul.dll
ModLoad: 60210000 60277000 C:\Program\Minefield2\sqlite3.dll
ModLoad: 60000000 600ae000 C:\Program\Minefield2\MOZCRT19.dll
ModLoad: 77c00000 77c58000 C:\WINDOWS\system32\msvcrt.dll
ModLoad: 60100000 601ac000 C:\Program\Minefield2\js3250.dll
ModLoad: 600b0000 600e0000 C:\Program\Minefield2\nspr4.dll
ModLoad: 77dc0000 77e6b000 C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f01000 C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 71ac0000 71aca000 C:\WINDOWS\system32\WSOCK32.dll
ModLoad: 71aa0000 71ab7000 C:\WINDOWS\system32\WS2_32.dll
ModLoad: 71a90000 71a98000 C:\WINDOWS\system32\WS2HELP.dll
ModLoad: 76b30000 76b5e000 C:\WINDOWS\system32\WINMM.dll
ModLoad: 7e360000 7e3f1000 C:\WINDOWS\system32\USER32.dll
ModLoad: 77f10000 77f57000 C:\WINDOWS\system32\GDI32.dll
ModLoad: 60430000 60448000 C:\Program\Minefield2\smime3.dll
ModLoad: 60340000 603ea000 C:\Program\Minefield2\nss3.dll
ModLoad: 603f0000 60404000 C:\Program\Minefield2\nssutil3.dll
ModLoad: 600f0000 600f7000 C:\Program\Minefield2\plc4.dll
ModLoad: 600e0000 600e7000 C:\Program\Minefield2\plds4.dll
ModLoad: 60410000 60430000 C:\Program\Minefield2\ssl3.dll
ModLoad: 7c9c0000 7d1d9000 C:\WINDOWS\system32\SHELL32.dll
ModLoad: 77f60000 77fdc000 C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 774d0000 7760d000 C:\WINDOWS\system32\ole32.dll
ModLoad: 77bf0000 77bf8000 C:\WINDOWS\system32\VERSION.dll
ModLoad: 72fd0000 72ff6000 C:\WINDOWS\system32\WINSPOOL.DRV
ModLoad: 76390000 763d9000 C:\WINDOWS\system32\COMDLG32.dll
ModLoad: 773c0000 774c3000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2982_x-ww_ac3f9c03\COMCTL32.dll
ModLoad: 76370000 7638d000 C:\WINDOWS\system32\IMM32.dll
ModLoad: 76360000 76365000 C:\WINDOWS\system32\MSIMG32.dll
ModLoad: 75530000 7559b000 C:\WINDOWS\system32\USP10.dll
ModLoad: 77110000 7719b000 C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 60de0000 60de7000 C:\Program\Minefield2\xpcom.dll
(9dc.7c0): Break instruction exception - code 80000003 (first chance)
eax=00191eb4 ebx=7ffdf000 ecx=00000005 edx=00000020 esi=00191f48 edi=00191eb4
eip=7c901230 esp=0012fb20 ebp=0012fc94 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!DbgBreakPoint:
7c901230 cc int 3
0:000> g
ModLoad: 59f50000 59ff1000 C:\WINDOWS\system32\dbghelp.dll
ModLoad: 5ad70000 5ada8000 C:\WINDOWS\system32\uxtheme.dll
ModLoad: 22200000 22206000 C:\Program\Eset\ESET NOD32 Antivirus\eplgHooks.dll
ModLoad: 746f0000 7473c000 C:\WINDOWS\system32\MSCTF.dll
ModLoad: 10000000 10010000 C:\WINDOWS\system32\tabhook.dll
ModLoad: 77910000 77a05000 C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 751a0000 751ce000 C:\WINDOWS\system32\msctfime.ime
ModLoad: 76fc0000 7703f000 C:\WINDOWS\system32\CLBCATQ.DLL
ModLoad: 77040000 77108000 C:\WINDOWS\system32\COMRes.dll
ModLoad: 601b0000 601b8000 C:\Program\Minefield2\components\browserdirprovider.dll
ModLoad: 00e00000 00e1d000 C:\Program\TCPSPY~1\TCPSPYLSP.DLL
ModLoad: 71a40000 71a80000 C:\WINDOWS\system32\MSWSOCK.dll
ModLoad: 698b0000 69908000 C:\WINDOWS\system32\hnetcfg.dll
ModLoad: 73050000 7306c000 C:\WINDOWS\system32\rsvpsp.dll
ModLoad: 71a80000 71a88000 C:\WINDOWS\System32\wshtcpip.dll
ModLoad: 76d50000 76d69000 C:\WINDOWS\system32\iphlpapi.dll
ModLoad: 76f10000 76f37000 C:\WINDOWS\system32\DNSAPI.dll
ModLoad: 76fa0000 76fa8000 C:\WINDOWS\System32\winrnr.dll
ModLoad: 76f50000 76f7d000 C:\WINDOWS\system32\WLDAP32.dll
ModLoad: 16080000 16099000 C:\Program\Bonjour\mdnsNSP.dll
ModLoad: 20000000 202ca000 C:\WINDOWS\system32\xpsp2res.dll
ModLoad: 602f0000 60315000 C:\Program\Minefield2\softokn3.dll
ModLoad: 60320000 60338000 C:\Program\Minefield2\nssdbm3.dll
ModLoad: 60450000 60489000 C:\Program\Minefield2\freebl3.dll
ModLoad: 602a0000 602e8000 C:\Program\Minefield2\nssckbi.dll
ModLoad: 601c0000 601e3000 C:\Program\Minefield2\components\brwsrcmp.dll
ModLoad: 76fb0000 76fb6000 C:\WINDOWS\system32\rasadhlp.dll
ModLoad: 6d690000 6d6b1000 C:\Program\Java\jre1.6.0_03\bin\npoji610.dll
ModLoad: 6d4e0000 6d4f0000 C:\Program\Java\jre1.6.0_03\bin\jpioji.dll
ModLoad: 7c360000 7c3b6000 C:\WINDOWS\system32\MSVCR71.dll
ModLoad: 6d4c0000 6d4d8000 C:\Program\Java\jre1.6.0_03\bin\jpinscp.dll
ModLoad: 6d4f0000 6d514000 C:\Program\Java\jre1.6.0_03\bin\jpishare.dll
ModLoad: 6d250000 6d261000 C:\Program\Java\jre1.6.0_03\bin\deploy.dll
ModLoad: 77a70000 77b05000 C:\WINDOWS\system32\CRYPT32.dll
ModLoad: 77b10000 77b22000 C:\WINDOWS\system32\MSASN1.dll
ModLoad: 44540000 4460f000 C:\WINDOWS\system32\WININET.dll
ModLoad: 041e0000 041e9000 C:\WINDOWS\system32\Normaliz.dll
ModLoad: 442c0000 44305000 C:\WINDOWS\system32\iertutil.dll
ModLoad: 44620000 44747000 C:\WINDOWS\system32\urlmon.dll
ModLoad: 76770000 76779000 C:\WINDOWS\system32\shfolder.dll
ModLoad: 6d7c0000 6da0a000 C:\Program\Java\JRE16~2.0_0\bin\client\jvm.dll
ModLoad: 6d310000 6d318000 C:\Program\Java\JRE16~2.0_0\bin\hpi.dll
ModLoad: 76be0000 76beb000 C:\WINDOWS\system32\PSAPI.DLL
ModLoad: 6d770000 6d77c000 C:\Program\Java\JRE16~2.0_0\bin\verify.dll
ModLoad: 6d3b0000 6d3cf000 C:\Program\Java\JRE16~2.0_0\bin\java.dll
ModLoad: 6d7b0000 6d7bf000 C:\Program\Java\JRE16~2.0_0\bin\zip.dll
ModLoad: 6d000000 6d1c3000 C:\Program\Java\jre1.6.0_03\bin\awt.dll
ModLoad: 73730000 73779000 C:\WINDOWS\system32\ddraw.dll
ModLoad: 73b90000 73b96000 C:\WINDOWS\system32\DCIMAN32.dll
ModLoad: 6d2b0000 6d303000 C:\Program\Java\jre1.6.0_03\bin\fontmanager.dll
ModLoad: 76770000 76779000 C:\WINDOWS\system32\shfolder.dll
ModLoad: 77fe0000 77ff1000 C:\WINDOWS\system32\Secur32.dll
ModLoad: 6d6d0000 6d70b000 C:\Program\Java\jre1.6.0_03\bin\regutils.dll
ModLoad: 7d1e0000 7d49e000 C:\WINDOWS\system32\msi.dll
ModLoad: 6d570000 6d583000 C:\Program\Java\jre1.6.0_03\bin\net.dll
(9dc.7c0): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000060 ebx=00000000 ecx=00032428 edx=00000000 esi=6d4c32b4 edi=000334a8
eip=6d4ccf45 esp=00033420 ebp=00033440 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program\Java\jre1.6.0_03\bin\jpinscp.dll -
jpinscp!NSGetFactory+0x56b:
6d4ccf45 8501 test dword ptr [ecx],eax ds:0023:00032428=00000000
0:000> kp
ChildEBP RetAddr
WARNING: Stack unwind information not available. Following frames may be wrong.
00033440 7e368724 jpinscp!NSGetFactory+0x56b
0003346c 7e368806 USER32!InternalCallWinProc+0x28
000334d4 7e36c623 USER32!UserCallWinProcCheckWow+0x150
00033504 7e36e8e5 USER32!CallWindowProcAorW+0x98
00033524 6d4c3789 USER32!CallWindowProcA+0x1b
000345c4 7e368724 jpinscp+0x3789
000345f0 7e368806 USER32!InternalCallWinProc+0x28
00034658 7e36c623 USER32!UserCallWinProcCheckWow+0x150
00034688 7e36e8e5 USER32!CallWindowProcAorW+0x98
000346a8 6d4c3789 USER32!CallWindowProcA+0x1b
00035748 7e368724 jpinscp+0x3789
00035774 7e368806 USER32!InternalCallWinProc+0x28
000357dc 7e36c623 USER32!UserCallWinProcCheckWow+0x150
0003580c 7e36e8e5 USER32!CallWindowProcAorW+0x98
0003582c 6d4c3789 USER32!CallWindowProcA+0x1b
000368cc 7e368724 jpinscp+0x3789
000368f8 7e368806 USER32!InternalCallWinProc+0x28
00036960 7e36c623 USER32!UserCallWinProcCheckWow+0x150
00036990 7e36e8e5 USER32!CallWindowProcAorW+0x98
000369b0 6d4c3789 USER32!CallWindowProcA+0x1b
Reporter | ||
Comment 16•17 years ago
|
||
I was looking at my crash report page and found out that the overflow has changed a litte from jpinscp.dll 0xcf15 to jpinscp.dll 0xcf45.
So I took a quike search and found another bug with the same stack overflow:
https://bugzilla.mozilla.org/show_bug.cgi?id=405357
is these bugs the same?
Comment 17•17 years ago
|
||
yes
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Updated•13 years ago
|
Crash Signature: [@ jpinscp.dll@0xcf15]
Updated•3 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•