Closed Bug 504810 Opened 15 years ago Closed 15 years ago

New Exploit released for MFSA 2009-41

Categories

(Firefox :: General, defect)

x86
Windows Vista
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 503286

People

(Reporter: matafagafo, Unassigned)

References

()

Details

(Whiteboard: [sg:dupe 503286])

Attachments

(2 files)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729)

New Exploit Released 

Reproducible: Always

Steps to Reproduce:
1.Execute the exploit
2.
3.
Actual Results:  
Crash

Expected Results:  
Not crash

This Happens in 3.5.1 too !
http://crash-stats.mozilla.com/report/index/afb7fc80-2150-4d3c-a363-cb8752090717

0 @0xd9d9fe3f  	
1 js_Execute 	js/src/jsinterp.cpp:1622
2 JS_EvaluateUCScriptForPrincipals 	js/src/jsapi.cpp:5145
3 nsJSContext::EvaluateString 	dom/src/base/nsJSEnvironment.cpp:1631
4 nsScriptLoader::EvaluateScript 	content/base/src/nsScriptLoader.cpp:686
5 nsScriptLoader::ProcessRequest 	content/base/src/nsScriptLoader.cpp:600
6 nsScriptLoader::ProcessScriptElement 	content/base/src/nsScriptLoader.cpp:554
7 nsScriptElement::MaybeProcessScript 	content/base/src/nsScriptElement.cpp:193
8 nsHTMLScriptElement::MaybeProcessScript 	content/html/content/src/nsHTMLScriptElement.cpp:546
9 HTMLContentSink::ProcessSCRIPTEndTag 	content/html/document/src/nsHTMLContentSink.cpp:3145
10 SinkContext::CloseContainer 	content/html/document/src/nsHTMLContentSink.cpp:1022
11 HTMLContentSink::CloseContainer 	content/html/document/src/nsHTMLContentSink.cpp:2396
12 CNavDTD::CloseContainer 	parser/htmlparser/src/CNavDTD.cpp:2804
No crash with Minefield, checking 3.5.1 next...
No crash with 3.5.1-mac. Dup of bug 503286?
No crash on winxp 3.5.1, but it did crash 3.5 with bp-f29e706d-7d01-4904-835c-663562090717.

Fernando, can you reproduce the crash with Firefox 3.5.1 and paste the crash id here? Go to about:crashes to see the list of recent crashes.
I submitted the crash report but my about:crashes is empty !
But in my profile "Crash Reports\pending" are the following files
2ae6faad-cdc3-434f-96ab-f627d4f57934.dmp
2ae6faad-cdc3-434f-96ab-f627d4f57934.extra

They are created in with the time of the crash.
The crash don't happens every time, that I open the page, some times I need tho open several tabs to reproduce the crash.
Need to know if this is reproducible. The text in that milw0rm URL at the top:

> # Pythonized by: David Kennedy (ReL1K) @ SecureState

indicates to me, at least, that this is just a Python version of http://www.milw0rm.com/exploits/9137 isn't it?
yes... seems kinda silly to create a python version of a static page
Doesn't crash my 191 tree on 10.4, with this push as the most recent in-tree push in it (penultimate push to release tagging, so 3.5.1 in essence):

changeset:   26066:b91c9ee69e6e
tag:         qparent
user:        Gavin Sharp <gavin@mozilla.com>
date:        Wed Jul 15 01:39:35 2009 -0400
summary:     Bug 501605: address review comments from comment 163, a=beltzner
No crash for me running 3.5.1 release on Vista SP1 and OS X 10.5.7.
Erm, that exploit claims to carry shellcode that opens a meterpreter port or similar. Not exactly harmless. Please defang or run in very sandboxy VM you're willing to have taken over.

Also: checking for "crash" might not be enough. Check to see if the damn shellcode ran and opened up a port on your machine!

(No crash on linux, but it *claims* a win32 payload. Here's hoping. Ouch.)
QA is reporting no crash on 3.5.1 on XP.
So far no crashes by the QA team.  4 people tried on 3.5.1 on XP.  One tried Vista. 

My user agent:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
fwiw, i got the unresponsive script warning 2 times while loading the testcase but no crash.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Have any of them checked to see if their machines just got taken over? Seriously. If this is *active* shellcode, please stop running it on developer machines!
This is a dupe of bug 503286 (the exploit code written by the Python script is exactly the same as the 0-day code) -- marking as such.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 503286]
No crash on 3.5.1/XP  But I did crash on 3.5/XP.

http://crash-stats.mozilla.com/report/index/ee6be8bf-690d-4346-9966-9ea892090717

User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5
As I said, I can't reproduce the crash every time, but FF crashed 7 times in my tests, unfortunately the submission of the crashes are all failed as you can see in my profile submit.log file bellow
May be this crashes are caused by some problem in my computer/profile, or some race condition.

Submit.log file:
[07/17/09 11:49:30] Crash report submission failed: A operação foi concluída com êxito.
[07/17/09 13:10:59] Crash report submission failed: A operação foi concluída com êxito.
[07/17/09 13:16:11] Crash report submission failed: A operação foi concluída com êxito.
[07/17/09 14:12:32] Crash report submission failed: A operação foi concluída com êxito.
[07/17/09 14:27:01] Crash report submission failed: A operação foi concluída com êxito.
[07/17/09 14:27:13] Crash report submission failed: A operação foi concluída com êxito.
[07/17/09 14:54:39] Crash report submission failed: A operação foi concluída com êxito.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
I feel like I'm talking to thin air. Please read this:

  LOADING THE ATTACHMENT IN ORDER TO "TEST" IT MAY TAKE OVER YOUR COMPUTER 

For those of you who clicked through already, and curious to see what your machine may have just done, browse this:

http://www.metasploit.org/data/shellcode/win32_bind.asm

Thankfully it doesn't look like it automatically joins a botnet or anything else sinister, just opens a shell listener, but be *careful*, and please, someone with edit permission, remove that attachment (with scripting turned *off* on your machine, note) and replace with a quoted one.

Anyone who ran it, *please* have a look at your machine for opened ports anyways. You may well have a shell listener active now that anyone who can contact you can use. Reboot asap if you can. And check for new arrivals via any sort of scanners you have.

Live versions of this code, or similar cases, can very well cost the organization dearly if run on developer machines. Please don't post live-exploit stuff like this. Defang at *least*, defanged and quoted is better.
Whiteboard: [sg:dupe 503286]
(Running in a VM, thanks Graydon!) I just get a slow script dialog so far. Win XP, Fx 3.5.1.
Sid had me run the exploit with calc.exe substituted in the payload.  Calc.exe came up when running 3.5 on XP.  Did _not_ come up when running 3.5.1 on XP.
This is like the neutered patch, but launches calc.exe if it is successful (no remote shell)
Reproduce-able Scenario:

1. Open up Task Manager
2. Open Firefox ( Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1)
Gecko/20090624 Firefox/3.5 )
3. Open up bug attachment from desktop.

http://crash-stats.mozilla.com/report/index/2685427b-fee7-4e64-b3f2-96db12090717?p=1

I've got 4 more crash reports if you want them.
Forgot to mention this has been confirmed for both attachments just now.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Why on earth would Task Manager being open have an effect how we run this code?

Aakash: can you try the exploit in bug 503286 when Task Manager is open?
Safe on all testcases in bug 503286, Mike.
Status: NEW → UNCONFIRMED
Ever confirmed: false
Aakash; I heard from Damon that comment 26 is in error and this bug is INVALID or a dupe of bug 503286?
Yeah, the build Id is for Fx3.5, so it's unconfirmed. I wasn't able to reproduce in a variety of scenarios on Fx3.5.1. So, I'd move this to resolved:duplicate of bug 503286 due to the other findings as well as my own comments.

If anyone has a differing opinion, please bring it up.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → DUPLICATE
Any reason to keep this bug private?
Summary: New Exploit released for Font Tag → New Exploit released for MFSA 2009-41
Whiteboard: [sg:dupe 503286]
Only thing I can think of is if we think that the content indicates other ways to exploit us. I don't believe any comments do, nor do any of the testcases. Bug 503286 is open, so this probably should be as well.
Is there any way to remove the attachment before we open the bug? Someone is going to click on it accidentally for sure ...
Attachment #389169 - Attachment is private: true
(In reply to comment #34)
> Is there any way to remove the attachment before we open the bug? Someone is
> going to click on it accidentally for sure ...

We can hide attachments, though we can't remove it.  I've hidden Sid's last attachment.
It's the first attachment that needs to go. The one marked LIVE SHELL CODE, DO NOT RUN.
Attachment #389169 - Attachment is private: false
Only members of the security group can see that attachment, and it's being served as text/plain to save even them from accidental clicks.
Back to comment 0. Here at Mozilla we're all certain the meat of this exploit is the identical to milw0rm 9137, fixed in bug 503286 and shipped with Firefox 3.5.1, yet _something_ is crashing Fernando and he's got the (non-submitted) crash stacks to prove it.

Is there a way to manually submit those, or could he attach one here and have one of us submit it?
#38: Yeah, I did some more testing with 1.9.1 debug and TM tip debug. Neither of them crash on Mac. The stacks from Fernando would be very useful.
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: