486251 - Firefox XML XUL parser memory corruption

Status: VERIFIED DUPLICATE of bug 485941

(Firefox :: Security, defect)

Description

[samuelmarks]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8

Crashes on opening of html

- If you like I can host it on my website...

Just ask me!

Reproducible: Always

Steps to Reproduce:
1.Download the zip
2.Extract the zip
3.Open poc.html
Actual Results:  
Crash

Expected Results:  
Crash

- If you like I can host it on my website...

Just ask me!

Comment 1

[reelix]

Found on:

http://milw0rm.com/exploits/8306

Confirmed by me.

Hosted On: http://www.reelix.za.net/KO/Firefox 3.0.8.html

Comment 2

[reelix]

Attachment: Firefox 3.0.8 Crash File

Comment 4

[Boris Zbarsky [:bzbarsky]]

Verified.  Note that in fact there is no "XUL" involved, nor memory corruption.  All hail people just making stuff up.

Comment 5

[samuelmarks]

Thanks for your replies (everyone)

Also, thanks for giving me access to the 'duplicate' bug.

Boris: What do you think it should be called, this security vulnerability?

Comment 6

[Boris Zbarsky [:bzbarsky]]

It's a stack overflow caused by a deeply nested DOM tree (not to be confused with a stack buffer overflow).  See http://en.wikipedia.org/wiki/Stack_overflow

It's also not a security vulnerability; it doesn't allow the attacker to run code.  It's just a DoS.

Comment 7

[samuelmarks]

Oh, okay.

Although DoS's like this could be used the other way around...

Crashing Firefox then opening there own hacked version of Firefox...

Comment 8

[Boris Zbarsky [:bzbarsky]]

Um.. if someone can run a hacked version of Firefox on your computer, you just lose.  Why would they need to crash the running one?  They could just ask it nicely to shut down.

Comment 9

[samuelmarks]

LOL

True True