Closed
Bug 824394
Opened 13 years ago
Closed 13 years ago
Possible Buffer OverFlow in XPCShellEnvironment.cpp
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 105707
People
(Reporter: douglaswtcs, Unassigned)
Details
(Keywords: reporter-external)
Attachments
(1 file)
|
32.84 KB,
text/plain
|
Details |
User Agent: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0
Build ID: 20120601045813
Steps to reproduce:
I did a analise in the code-font of the Mozilla Firefox and I did find the bug
Actual results:
The programmer used the function "strcpy();" what is very vulnerable
Expected results:
happened a Error of programmation:
00274: char line[256];
00275: fputs(prompt, stdout);
00276: fflush(stdout);
00277: if (!fgets(line, sizeof line, file))
00278: return JS_FALSE;
00279: strcpy(bufp, line);
00280: return JS_TRUE;
00281: }
00282:
00283: static JSBool
00284: Dump(JSContext *cx,
Strcpy(bufp,line);
"Line = 256"
If I get exceed "256" I go overflow the stack of the user.
(ATTACK OF BUFFER OVERFLOW)
reporter found this in 9.0b6
this is the particular function
GetLine(char *bufp,
FILE *file,
const char *prompt)
{
char line[256];
fputs(prompt, stdout);
fflush(stdout);
if (!fgets(line, sizeof line, file))
return JS_FALSE;
strcpy(bufp, line);
return JS_TRUE;
}
This does appear on face value to allow a buffer overflow as there does not appear to be any bounds check for bufp. While this may overflow in some conditions it is yet to be seen if said overflow leads to a security vulnerability
Summary: I Found a vulnerability what permit Buffer OverFlow Attacks in the "Firefox 9.0b6" → Possible Buffer OverFlow in XPCShellEnvironment.cpp
Version: 13 Branch → 9 Branch
|
||
Updated•13 years ago
|
Flags: sec-bounty?
|
||
Comment 2•13 years ago
|
||
I'd guess that this file is part of XPCShell, which is related to a testing environment, and not part of Firefox itself.
Component: Untriaged → XPCShell Harness
Product: Firefox → Testing
|
|
||
Comment 3•13 years ago
|
||
In that case, I don't think this is really a security bug, and can be unhidden.
|
|
||
Comment 4•13 years ago
|
||
(If my assessment is correct, that is... I need to double check things before I post.)
|
||
Comment 5•13 years ago
|
||
You're really only at risk of overflowing buffer[4096]. But xpcshell is not content-visible in any way, so let's open this up.
Group: core-security
Component: XPCShell Harness → XPConnect
Product: Testing → Core
Version: 9 Branch → Trunk
|
|
||
Updated•13 years ago
|
Flags: sec-bounty? → sec-bounty-
|
||
Comment 6•13 years ago
|
||
component nit: this was filed against the IPC version of this tool, not the XPConnect version. But since one was based on the other they both have the same bug.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
|
||
Updated•1 year ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•