Closed Bug 489755 Opened 15 years ago Closed 15 years ago

XUL parser buffer overflow

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 485941

People

(Reporter: wojtekp, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; pl; rv:1.9.0.4) Gecko/2008102920  Firefox/3.0.4
Build Identifier: http://download.mozilla.org/?product=firefox-3.0.9&os=win&lang=pl

Hi,
I started fuzzing Firefox's XML/XUL parser and I've found some interesting bug. As I see I can manipulate ESP but in limited stack area. It looks like unexploitable situation, however I couldn't find out attack vector other then DoS. I've posted PoC already to milw0rm and packetstorm, so the bug is public since some time. Let me know your thoughts.

Reproducible: Always

Steps to Reproduce:
1. Create XML file with loads of open nodes (<a1><a2><a3>...<a30000>) and never close them.
2. Fire up your debugger-of-choice :) and attach to Firefox process.
3. Open previously created file and watch Stack Overflow trap - you land in XUL cleanup code as far as I remember.
4. Check out ESP value (here it's 00330000).
Actual Results:  
Mozilla crashed with buffer-overflow condition.


I check it on current Firefox build - still there's a problem.
Is this similar or a dupe of bug 485941?
Group: core-security
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.