recursive document.write leads to crash

VERIFIED FIXED

Status

()

--
critical
VERIFIED FIXED
11 years ago
9 years ago

People

(Reporter: adlab, Unassigned)

Tracking

({crash, verified1.8.1.12})

1.8 Branch
x86
Windows Server 2003
crash, verified1.8.1.12
Points:
---
Bug Flags:
wanted1.8.1.x +
in-testsuite ?

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:nse dos] fixed by bug 197052)

Attachments

(1 attachment)

(Reporter)

Description

11 years ago
User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; SV1; Maxthon; .NET CLR 1.1.4322)
Build Identifier: 

[AD_LAB-07007]Mozilla FireFox malicious script remote DoS

I.DESCRIPTION: 
-------------

A vulnerability has been discovered in Mozilla FireFox, which can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to a design error in FireFox when processing certain malicious script. FireFox could fall into a dead loop when processing innerHTML writing script, which leads to DoS.

Testing code:

<HTML><BODY>
<FireFox id=dos>
<SCRIPT language=javascript>
    document.write(dos.innerHTML);
</SCRIPT>
</FireFox>
</BODY></HTML>

III.CREDIT: 
----------
    Venustech AD-LAB discovery this vuln.Thank to all Venustech AD-Lab guys.

V.DISCLAIMS:
-----------

The information in this bulletin is provided "AS IS" without warranty of any
kind. In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special damages. 

Copyright 1996-2007 VENUSTECH. All Rights Reserved. Terms of use.

VENUSTECH Security Lab 
VENUSTECH INFORMATION TECHNOLOGY CO.,LTD(http://www.venustech.com.cn)

Security
Trusted {Solution} Provider
Service







Reproducible: Always

Steps to Reproduce:
<HTML><BODY>
<FireFox id=dos>
<SCRIPT language=javascript>
    document.write(dos.innerHTML);
</SCRIPT>
</FireFox>
</BODY></HTML>
Normally you would put in the summary a useful description in the bug, fwiw.
This bug sounds like a duplicate of bug 185945 to me.

Comment 2

11 years ago
Created attachment 285863 [details]
testcase

On Linux, 1.8.1 doesn't terminate but keeps throwing:

Break: at file /work/mozilla/builds/1.8.1/mozilla/content/events/src/nsEventListenerManager.cpp, line 1745
JavaScript error: http://local/bugzilla.mozilla.org/400792.html, line 25788: too much recursion

Trunk throws a terminates after several:

WARNING: NS_ENSURE_TRUE(!mTooDeepWriteRecursion) failed: file /work/mozilla/builds/1.9.0/mozilla/content/html/document/src/nsHTMLDocument.cpp, line 2401
JavaScript error: http://local/bugzilla.mozilla.org/400792.html, line 6: uncaught exception: [Exception... "Component returned failure code: 0x8000ffff (NS_ERROR_UNEXPECTED) [nsIDOMNSHTMLDocument.write]"  nsresult: "0x8000ffff (NS_ERROR_UNEXPECTED)"  location: "JS frame :: http://local/bugzilla.mozilla.org/400792.html :: <TOP_LEVEL> :: line 6"  data: no]

The testcase in bug 185945 also terminates on the trunk.

Looks like bug 197052 fixed this.
So maybe the patch for bug 197052 should be considered for branch, if I understand correctly?
Component: Security → General
Keywords: crash
Product: Firefox → Core
QA Contact: firefox → general
Summary: Mozilla/5.0(windows;U;Windows NT 5.2;zh-CN;1.8.1.4) Gecko/200070515 Firefox/2.0.0.4 → recursive document.write leads to crash
Depends on: 197052
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.10?
Whiteboard: [sg:nse dos] fixed by bug 197052 on trunk?
Version: unspecified → 1.8 Branch
Don't know why this is UNCO, seems pretty clear that it happens.
Status: UNCONFIRMED → NEW
Ever confirmed: true
bug 197052 is now fixed on branch, so this one should be too.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Keywords: fixed1.8.1.12
Resolution: --- → FIXED

Updated

11 years ago
Flags: in-testsuite?
Verified with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.12pre) Gecko/2008011803 BonEcho/2.0.0.12pre and Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:1.8.1.12pre) Gecko/2008011803 BonEcho/2.0.0.12pre. On both systems, with 2.0.0.11, the browser locks up and becomes unresponsive but the nightly handles it fine.
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.1.12 → verified1.8.1.12
Flags: blocking1.8.1.12?
Whiteboard: [sg:nse dos] fixed by bug 197052 on trunk? → [sg:nse dos] fixed by bug 197052
Group: security
Duplicate of this bug: 229035
You need to log in before you can comment on or make changes to this bug.