-Dan Veditz Mozilla security group member wrote : >The exploit example you give is not remote command execution but rather a >violation of the same origin policy.
First off, the example bug I demonstrated: http://meme-boi.netfirms.com/werd.html while true it doesn't show remote class loading , is not fixed in 1.4. I haven't tested 1.3 but I assure you there are serious issues , and the bug is different , but I'll let you figure that out. -Dan Veditz wrote : >Unless there are additional details you are withholding this same flaw >was >reported on Bugtraq April 15 Here is some select gdb output from an attached session while viewing, and executing specially crafted *priva8* ( meaning no soup for you) meme156 code from remote server: <snip> [New Thread 1106058544 (LWP 15390)] [New Thread 1122508080 (LWP 15391)] [New Thread 1131003184 (LWP 15392)] [New Thread 1139535152 (LWP 15393)] [New Thread 1147927856 (LWP 15394)] [New Thread 1156320560 (LWP 15395)] [Thread 1156320560 (LWP 15395) exited] [Thread 1139535152 (LWP 15393) exited] Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 1077855392 (LWP 15388)] 0x4003b9dd in JS_CompileUCFunctionForPrincipals () from /usr/lib/libmozjs.so (gdb) backtrace #0 0x4003b9dd in JS_CompileUCFunctionForPrincipals () from /usr/lib/libmozjs.so #1 0x424bf3d6 in NSGetModule () from /usr/local/mozilla/components/libjsdom.so#2 0x40d2b203 in NSGetModule () from /usr/local/mozilla/components/libgklayout.so #3 0x40b52252 in NSGetModule () from /usr/local/mozilla/components/libgklayout.so #4 0x40b52525 in NSGetModule () //noop begins here on Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) 0xbfffe644: 0x00001000 0x00000011 0x00000064 0x00000003 0xbfffe654: 0x08048034 0x00000004 0x00000020 0x00000005 0xbfffe664: 0x00000006 0x00000007 0x40000000 0x00000008 ---Type <return> to continue, or q <return> to quit--- 0xbfffe674: 0x00000000 0x00000009 0x08056e20 0x0000000b 0xbfffe684: 0x000001f4 0x0000000c 0x000001f4 0x0000000d 0xbfffe694: 0x00000000 0x0000000e 0x00000000 0x0000000f 0xbfffe6a4: 0xbffffbb4 0x00000000 0x00000000 0x00000000 0xbfffe6b4: 0x00000000 0x00000000 0x00000000 0x00000000 0xbfffe6c4: 0x00000000 0x00000000 0x00000000 0x00000000 0xbfffe6d4: 0x00000000 0x00000000 0x00000000 0x00000000 0xbfffe6e4: 0x00000000 0x00000000 0x00000000 0x00000000 </snip> For authentication purposes and further proof of concept that someone(s) dropped the ball and opened up old and new cans of worms I provide silly denial of service code that should work on mo , opera and netscape: http://meme-boi.netfirms.com/modos.html ( this won't work on 2.1.4 based browsers ) -Dan Veditz wrote : >If instead you'd like to give the whitehats time to fix them details would >be gratefully received by "security" at "mozilla.org" I thank you for the invitation , but I am a wal-mart janitor and I don't have much time for finding bugs so I am saving more interesting methods of bug harnessing for stalking clearchannel communications employees and making them pay for forcing the world to listen to justin timberlake. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
