On 5/30/18, EE <nu...@bees.wax> wrote: > Lee wrote: >> On 5/29/18, Frank-Rainer Grahl wrote: >>> Seems to be a "feature" of Sophos to report possible ROP problems in any >>> software. Use latest compatible Noscript and uBlock and just add an >>> exception in Sophos. >> >> If one wanted to check and see if maybe the possible ROP problem >> really was the result of executing a piece of malicious code from a >> web site, how would you go about it? >> >> I tried this: >> C:\Temp>type startSM-with-logging.bat >> @REM see >> https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/HTTP_logging >> @REM >> >> @rem set >> MOZ_LOG=timestamp,sync,rotate:200,nsHttp:5,cache2:5,nsSocketTransport:5,nsHostResolver:5 >> >> set MOZ_LOG=timestamp,sync,rotate:200,nsHttp:3 >> @rem nsHttp:3 log only http request and response headers >> >> set MOZ_LOG_FILE=%TEMP%\sm-log.txt >> >> "c:\Program Files (x86)\SeaMonkey\SeaMonkey.exe" >> >> >> which is 1) more verbose than I'd like and 2) not so easy to parse. >> Is there some other way to keep track of what all SeaMonkey gets off the >> web? >> >> Thanks >> Lee >> >> >>> Dirk Munk wrote: >>>> Dirk Munk wrote: >>>>> I have Sophos anti-virus (etc.) running on my PC, and a few days ago >>>>> it >>>>> reported a ROP problem with Seamonkey and closed it down. >>>>> >>>>> After restarting Seamonkey everything was fine again. >>>>> >>>>> Sophos gave this trace of the problem: >>>>> >>>>> Mitigation ROP >>>>> >>>>> Platform 10.0.17134/x64 v614 06_3a >>>>> PID 18136 >>>>> Application C:\Program Files\SeaMonkey\seamonkey.exe >>>>> Description SeaMonkey 2.49.3 >>>>> >>>>> Callee Type LoadLibrary >>>>> >>>>> Stack Trace >>>>> # Address Module Location >>>>> -- ---------------- ------------------------ >>>>> ---------------------------------------- >>>>> 1 00007FFD8A0FBC4D KernelBase.dll >>>>> 2 00007FFD8D6927D7 ntdll.dll >>>>> 3 00007FFD8D67AC26 ntdll.dll __C_specific_handler >>>>> +0x96 >>>>> 4 00007FFD8D68EDCD ntdll.dll __chkstk +0x11d >>>>> 5 00007FFD8D5F6C86 ntdll.dll >>>>> 6 00007FFD8D68DCFE ntdll.dll KiUserExceptionDispatcher +0x2e >>>>> >>>>> 7 00007FFD3CFAF0FD xul.dll >>>>> 80791000 CMP BYTE >>>>> [RCX+0x10], 0x0 >>>>> 7465 JZ 0x7ffd3cfaf168 >>>>> 83b91c2b000000 CMP DWORD >>>>> [RCX+0x2b1c], 0x0 >>>>> 7416 JZ 0x7ffd3cfaf122 >>>>> 498bc0 MOV RAX, R8 >>>>> 482500f0ffff AND RAX, >>>>> 0xfffffffffffff000 >>>>> 488b4008 MOV RAX, >>>>> [RAX+0x8] >>>>> 83b87008000000 CMP DWORD >>>>> [RAX+0x870], >>>>> 0x0 >>>>> 7446 JZ 0x7ffd3cfaf168 >>>>> 4d85c0 TEST R8, R8 >>>>> 740c JZ 0x7ffd3cfaf133 >>>>> 4881cae8ff0f00 OR RDX, >>>>> 0xfffe8 >>>>> 833a01 CMP DWORD >>>>> [RDX], >>>>> 0x1 >>>>> 7435 JZ 0x7ffd3cfaf168 >>>>> 498bc0 MOV RAX, R8 >>>>> 4981e0a0c0ffff AND R8, >>>>> 0xffffffffffffc0a0 >>>>> >>>>> 8 00007FFD3A505F69 xul.dll >>>>> 9 00007FFD3A50611B xul.dll >>>>> 10 00007FFD3CFF9A07 xul.dll >>>>> >>>>> Process Trace >>>>> 1 C:\Program Files\SeaMonkey\seamonkey.exe [18136] >>>>> 2 C:\Windows\explorer.exe [11128] >>>>> 3 C:\Windows\System32\userinit.exe [10980] >>>>> 4 C:\Windows\System32\winlogon.exe [812] >>>>> winlogon.exe >>>>> >>>>> Thumbprint >>>>> 6b7c6ddb5008f8cfec2b72d6c65841972bb2c3f0f227ed14ea6b1187aec1429d >>>>> >>>>> >>>> This is a security problem. According to Sophos, Seamonkey is doing >>>> something >>>> it should not be doing, perhaps executing a piece of malicious code from >>>> a web site? >>>> >>>> I've seen the problem more often now, and I wonder if someone can have >>>> a look at it? >>> > What is ROP? I found 4 possible expansions for that abbreviation.
In the context of an anti-virus msg, most probably > Return-oriented Programming see https://www.coursera.org/learn/software-security/lecture/vjGZA/return-oriented-programming-rop which gets abut half way thru & prompts you to sign up :( But it's enough for you to get the idea Lee _______________________________________________ support-seamonkey mailing list support-seamonkey@lists.mozilla.org https://lists.mozilla.org/listinfo/support-seamonkey
