Closed
Bug 504810
Opened 15 years ago
Closed 15 years ago
New Exploit released for MFSA 2009-41
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 503286
People
(Reporter: matafagafo, Unassigned)
References
()
Details
(Whiteboard: [sg:dupe 503286])
Attachments
(2 files)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729) Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1 (.NET CLR 3.5.30729) New Exploit Released Reproducible: Always Steps to Reproduce: 1.Execute the exploit 2. 3. Actual Results: Crash Expected Results: Not crash This Happens in 3.5.1 too !
Comment 1•15 years ago
|
||
http://crash-stats.mozilla.com/report/index/afb7fc80-2150-4d3c-a363-cb8752090717 0 @0xd9d9fe3f 1 js_Execute js/src/jsinterp.cpp:1622 2 JS_EvaluateUCScriptForPrincipals js/src/jsapi.cpp:5145 3 nsJSContext::EvaluateString dom/src/base/nsJSEnvironment.cpp:1631 4 nsScriptLoader::EvaluateScript content/base/src/nsScriptLoader.cpp:686 5 nsScriptLoader::ProcessRequest content/base/src/nsScriptLoader.cpp:600 6 nsScriptLoader::ProcessScriptElement content/base/src/nsScriptLoader.cpp:554 7 nsScriptElement::MaybeProcessScript content/base/src/nsScriptElement.cpp:193 8 nsHTMLScriptElement::MaybeProcessScript content/html/content/src/nsHTMLScriptElement.cpp:546 9 HTMLContentSink::ProcessSCRIPTEndTag content/html/document/src/nsHTMLContentSink.cpp:3145 10 SinkContext::CloseContainer content/html/document/src/nsHTMLContentSink.cpp:1022 11 HTMLContentSink::CloseContainer content/html/document/src/nsHTMLContentSink.cpp:2396 12 CNavDTD::CloseContainer parser/htmlparser/src/CNavDTD.cpp:2804
Comment 2•15 years ago
|
||
Comment 3•15 years ago
|
||
No crash with Minefield, checking 3.5.1 next...
Comment 4•15 years ago
|
||
No crash with 3.5.1-mac. Dup of bug 503286?
Comment 5•15 years ago
|
||
No crash on winxp 3.5.1, but it did crash 3.5 with bp-f29e706d-7d01-4904-835c-663562090717. Fernando, can you reproduce the crash with Firefox 3.5.1 and paste the crash id here? Go to about:crashes to see the list of recent crashes.
Reporter | ||
Comment 6•15 years ago
|
||
I submitted the crash report but my about:crashes is empty ! But in my profile "Crash Reports\pending" are the following files 2ae6faad-cdc3-434f-96ab-f627d4f57934.dmp 2ae6faad-cdc3-434f-96ab-f627d4f57934.extra They are created in with the time of the crash.
Reporter | ||
Comment 7•15 years ago
|
||
The crash don't happens every time, that I open the page, some times I need tho open several tabs to reproduce the crash.
Comment 8•15 years ago
|
||
Need to know if this is reproducible. The text in that milw0rm URL at the top: > # Pythonized by: David Kennedy (ReL1K) @ SecureState indicates to me, at least, that this is just a Python version of http://www.milw0rm.com/exploits/9137 isn't it?
Comment 9•15 years ago
|
||
yes... seems kinda silly to create a python version of a static page
Comment 10•15 years ago
|
||
Doesn't crash my 191 tree on 10.4, with this push as the most recent in-tree push in it (penultimate push to release tagging, so 3.5.1 in essence): changeset: 26066:b91c9ee69e6e tag: qparent user: Gavin Sharp <gavin@mozilla.com> date: Wed Jul 15 01:39:35 2009 -0400 summary: Bug 501605: address review comments from comment 163, a=beltzner
Comment 11•15 years ago
|
||
No crash for me running 3.5.1 release on Vista SP1 and OS X 10.5.7.
Comment 12•15 years ago
|
||
Erm, that exploit claims to carry shellcode that opens a meterpreter port or similar. Not exactly harmless. Please defang or run in very sandboxy VM you're willing to have taken over. Also: checking for "crash" might not be enough. Check to see if the damn shellcode ran and opened up a port on your machine! (No crash on linux, but it *claims* a win32 payload. Here's hoping. Ouch.)
Comment 13•15 years ago
|
||
QA is reporting no crash on 3.5.1 on XP.
Comment 14•15 years ago
|
||
So far no crashes by the QA team. 4 people tried on 3.5.1 on XP. One tried Vista. My user agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Comment 15•15 years ago
|
||
fwiw, i got the unresponsive script warning 2 times while loading the testcase but no crash. Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.1) Gecko/20090715 Firefox/3.5.1
Comment 16•15 years ago
|
||
Have any of them checked to see if their machines just got taken over? Seriously. If this is *active* shellcode, please stop running it on developer machines!
Comment 17•15 years ago
|
||
This is a dupe of bug 503286 (the exploit code written by the Python script is exactly the same as the 0-day code) -- marking as such.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
Updated•15 years ago
|
Whiteboard: [sg:dupe 503286]
Comment 18•15 years ago
|
||
No crash on 3.5.1/XP But I did crash on 3.5/XP. http://crash-stats.mozilla.com/report/index/ee6be8bf-690d-4346-9966-9ea892090717 User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5
Reporter | ||
Comment 19•15 years ago
|
||
As I said, I can't reproduce the crash every time, but FF crashed 7 times in my tests, unfortunately the submission of the crashes are all failed as you can see in my profile submit.log file bellow May be this crashes are caused by some problem in my computer/profile, or some race condition. Submit.log file: [07/17/09 11:49:30] Crash report submission failed: A operação foi concluída com êxito. [07/17/09 13:10:59] Crash report submission failed: A operação foi concluída com êxito. [07/17/09 13:16:11] Crash report submission failed: A operação foi concluída com êxito. [07/17/09 14:12:32] Crash report submission failed: A operação foi concluída com êxito. [07/17/09 14:27:01] Crash report submission failed: A operação foi concluída com êxito. [07/17/09 14:27:13] Crash report submission failed: A operação foi concluída com êxito. [07/17/09 14:54:39] Crash report submission failed: A operação foi concluída com êxito.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
Comment 21•15 years ago
|
||
I feel like I'm talking to thin air. Please read this: LOADING THE ATTACHMENT IN ORDER TO "TEST" IT MAY TAKE OVER YOUR COMPUTER For those of you who clicked through already, and curious to see what your machine may have just done, browse this: http://www.metasploit.org/data/shellcode/win32_bind.asm Thankfully it doesn't look like it automatically joins a botnet or anything else sinister, just opens a shell listener, but be *careful*, and please, someone with edit permission, remove that attachment (with scripting turned *off* on your machine, note) and replace with a quoted one. Anyone who ran it, *please* have a look at your machine for opened ports anyways. You may well have a shell listener active now that anyone who can contact you can use. Reboot asap if you can. And check for new arrivals via any sort of scanners you have. Live versions of this code, or similar cases, can very well cost the organization dearly if run on developer machines. Please don't post live-exploit stuff like this. Defang at *least*, defanged and quoted is better.
Whiteboard: [sg:dupe 503286]
(Running in a VM, thanks Graydon!) I just get a slow script dialog so far. Win XP, Fx 3.5.1.
Comment 23•15 years ago
|
||
Comment 24•15 years ago
|
||
Sid had me run the exploit with calc.exe substituted in the payload. Calc.exe came up when running 3.5 on XP. Did _not_ come up when running 3.5.1 on XP.
Comment 25•15 years ago
|
||
This is like the neutered patch, but launches calc.exe if it is successful (no remote shell)
Comment 26•15 years ago
|
||
Reproduce-able Scenario: 1. Open up Task Manager 2. Open Firefox ( Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5 ) 3. Open up bug attachment from desktop. http://crash-stats.mozilla.com/report/index/2685427b-fee7-4e64-b3f2-96db12090717?p=1 I've got 4 more crash reports if you want them.
Comment 27•15 years ago
|
||
Forgot to mention this has been confirmed for both attachments just now.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 28•15 years ago
|
||
Why on earth would Task Manager being open have an effect how we run this code? Aakash: can you try the exploit in bug 503286 when Task Manager is open?
Comment 29•15 years ago
|
||
Safe on all testcases in bug 503286, Mike.
Updated•15 years ago
|
Status: NEW → UNCONFIRMED
Ever confirmed: false
Comment 30•15 years ago
|
||
Aakash; I heard from Damon that comment 26 is in error and this bug is INVALID or a dupe of bug 503286?
Comment 31•15 years ago
|
||
Yeah, the build Id is for Fx3.5, so it's unconfirmed. I wasn't able to reproduce in a variety of scenarios on Fx3.5.1. So, I'd move this to resolved:duplicate of bug 503286 due to the other findings as well as my own comments. If anyone has a differing opinion, please bring it up.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago → 15 years ago
Resolution: --- → DUPLICATE
Comment 32•15 years ago
|
||
Any reason to keep this bug private?
Summary: New Exploit released for Font Tag → New Exploit released for MFSA 2009-41
Whiteboard: [sg:dupe 503286]
Comment 33•15 years ago
|
||
Only thing I can think of is if we think that the content indicates other ways to exploit us. I don't believe any comments do, nor do any of the testcases. Bug 503286 is open, so this probably should be as well.
Comment 34•15 years ago
|
||
Is there any way to remove the attachment before we open the bug? Someone is going to click on it accidentally for sure ...
Attachment #389169 -
Attachment is private: true
Comment 35•15 years ago
|
||
(In reply to comment #34) > Is there any way to remove the attachment before we open the bug? Someone is > going to click on it accidentally for sure ... We can hide attachments, though we can't remove it. I've hidden Sid's last attachment.
Comment 36•15 years ago
|
||
It's the first attachment that needs to go. The one marked LIVE SHELL CODE, DO NOT RUN.
Attachment #389169 -
Attachment is private: false
Comment 37•15 years ago
|
||
Only members of the security group can see that attachment, and it's being served as text/plain to save even them from accidental clicks.
Comment 38•15 years ago
|
||
Back to comment 0. Here at Mozilla we're all certain the meat of this exploit is the identical to milw0rm 9137, fixed in bug 503286 and shipped with Firefox 3.5.1, yet _something_ is crashing Fernando and he's got the (non-submitted) crash stacks to prove it. Is there a way to manually submit those, or could he attach one here and have one of us submit it?
Comment 39•15 years ago
|
||
#38: Yeah, I did some more testing with 1.9.1 debug and TM tip debug. Neither of them crash on Mac. The stacks from Fernando would be very useful.
Updated•15 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•