Closed
Bug 489755
Opened 15 years ago
Closed 15 years ago
XUL parser buffer overflow
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 485941
People
(Reporter: wojtekp, Unassigned)
Details
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; pl; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4 Build Identifier: http://download.mozilla.org/?product=firefox-3.0.9&os=win&lang=pl Hi, I started fuzzing Firefox's XML/XUL parser and I've found some interesting bug. As I see I can manipulate ESP but in limited stack area. It looks like unexploitable situation, however I couldn't find out attack vector other then DoS. I've posted PoC already to milw0rm and packetstorm, so the bug is public since some time. Let me know your thoughts. Reproducible: Always Steps to Reproduce: 1. Create XML file with loads of open nodes (<a1><a2><a3>...<a30000>) and never close them. 2. Fire up your debugger-of-choice :) and attach to Firefox process. 3. Open previously created file and watch Stack Overflow trap - you land in XUL cleanup code as far as I remember. 4. Check out ESP value (here it's 00330000). Actual Results: Mozilla crashed with buffer-overflow condition. I check it on current Firefox build - still there's a problem.
Comment 1•15 years ago
|
||
Is this similar or a dupe of bug 485941?
Updated•15 years ago
|
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•