Author Topic: Crash bug in FF 1.5.0.6 (Read 9604 times)

polonus · « **on:** August 26, 2006, 07:05:31 PM »

Hi Malware Fighters,

Researcher Michal Zalewski has uncovered more crash bugs in the Firefox browser. They affect the current version 1.5.0.6. Zalewski has released proof-of-concept attacks. See here:
http://lcamtuf.coredump.cx/ffoxdie.html (Click at your own risk with JavaScript enabled to crash your browser)

The vulnerability results in memory corruption. The cause is a race condition that causes mismanagement of memory, such as freeing the same area twice.

Definition of a race condition:
Irregular behavior of a program due to unexpected critical dependence on the relative timing of events. For example, two different processes may be simultaneously reading from and writing to the same file, resulting in data read not being up-to-date.

When Javascript timers or other browser events interrupt browser components while they are running, freed memory structures are potentially left in an unexpected state.

Such attacks can often lead to arbitrary code execution, but there is no proof that this one can.

Due to heavy code re-use in the Mozilla family, it's possible that products other than Firefox are vulnerable.

So NoScript on, and not a lot can get wrong.
It is also found by me that XPCOM_CORE,DLL, NSPR4.DLL, PLCH.DLL & PLDS4.DLL of the components file have errors on opening through JAR50.DLL, at least found by dependency walker. If you have one wrong plug-in installed it can also crash this browser, to my knowledge Flock is less sensitive here.

polonus

polonus · « **Reply #1 on:** August 27, 2006, 12:14:55 AM »

Hello forum members,

Here is a discussion on the race condition (there are two types the general one and the more renowned data race condition), for specific issues with Mozilla read:
http://www.novell.com/linux/security/advisories/2006_48_seamonkey.html

Memory corruption with simultaneous events

Secunia Research has discovered a vulnerability in Mozilla Firefox 1.5 branch, which can be exploited by malicious people to compromise a user's system.

H. D. Moore reported a testcase that was able to trigger a race
condition where JavaScript garbage collection deleted a temporary variable still being used in the creation of a new Function object. The resulting use of a deleted object may be potentially exploitable to run native code provided by the attacker.

The vulnerability is caused due to an memory corruption error within the handling of simultaneously happening XPCOM events, which leads to use of a deleted timer object. This generally results in a crash but potentially could be exploited to execute arbitrary code on a user's system when a malicious website is visited.

Coders should run a Data Race Detection Tool from here:
http://developers.sun.com/prodtech/cc/downloads/drdt/drdt_index.html

polonus

Summoner Yuna · « **Reply #2 on:** August 27, 2006, 04:31:07 PM »

Would these affect Camino? it is also gecko based

Lisandro · « **Reply #3 on:** August 27, 2006, 04:35:33 PM »

Can't resist... Welcome back Summoner Yuna... It was a long time without you in the forums

polonus · « **Reply #4 on:** August 27, 2006, 04:57:57 PM »

Hi Summoner Yuna,

Well the proof is in the pudding, click the link I gave in the top posting of this thread, with JavaScript enabled, and after 20 sec you will know if this will result in a crash.
As far as I could establish the error is in opening the file XPCOM_CORE.DLL, where there are some 73 imports) for the NSGetModule import tables. Another compicating factor is the delay through windows that makes the errors in opening, as you view it through dependency walker. This I established for the jar50.dll v 1.8.20060.7278 and in NS_Alloc_P.

polonus

Summoner Yuna · « **Reply #5 on:** August 27, 2006, 06:50:20 PM »

Yes it crashed Camino in Mac OS X 10.3 on my iBook. so I guess it affects all gecko browsers

Hi tech, yes its ben over a year

CharleyO · « **Reply #6 on:** August 28, 2006, 08:10:09 AM »

***

Welcome back, Summoner Yuna. Do not be such a stranger so long.

***

neal62 · « **Reply #7 on:** August 28, 2006, 08:28:44 AM »

Hi Polonus,
I also have F.F 1.5.0.6. I clicked on the link you posted in your first post. I saw the pic of the woman, waited for 1 to 2 mins, no crash. Clicked on "More Pictures" link, saw some pictures of a cat and other stuff. Still no crash. This is with "no script" activated and then not activated. Not sure why my F.F. remained stable? Oh well. Thanks for the info.

By the way, my javascript WAS inabled in F.F. when doing this.

..::ReVaN::.. · « **Reply #8 on:** August 28, 2006, 11:14:19 AM »

Quote from: polonus on August 26, 2006, 07:05:31 PM

If you have one wrong plug-in installed it can also crash this browser, to my knowledge Flock is less sensitive here.

Hi Damian!

Interesting, i clicked the link and Flock also crashed(NoScript extension not installed) ....

crofty59 · « **Reply #9 on:** August 28, 2006, 11:18:38 AM »

Quote from: neal63 on August 28, 2006, 08:28:44 AM

Hi Polonus,
I also have F.F 1.5.0.6. I clicked on the link you posted in your first post. I saw the pic of the woman, waited for 1 to 2 mins, no crash. Clicked on "More Pictures" link, saw some pictures of a cat and other stuff. Still no crash. This is with "no script" activated and then not activated. Not sure why my F.F. remained stable? Oh well. Thanks for the info. By the way, my javascript WAS inabled in F.F. when doing this.

Hi polonus
Hi neal63
I got the same result as neal63 did.

galooma · « **Reply #10 on:** August 28, 2006, 11:23:44 AM »

same result here with ff 1.5.0.6 and noscript extension but java enabled. Nice pics but no crash

..::ReVaN::.. · « **Reply #11 on:** August 28, 2006, 11:46:42 AM »

I tried again with FF 1.5.0.6 (fresh install with deafult settings, no extensions installed and Javascript enabled) and it crashed after 2 seconds ...

..::ReVaN::.. · « **Reply #12 on:** August 28, 2006, 12:05:18 PM »

Hi guys!

Installed NoScript, tried again and it did it's job very well no crash at all. When i enabled global scripts(or just scripts from that page) to be run it crashed again so that made me wonder about what some of you said here:

Quote from: neal63 on August 28, 2006, 08:28:44 AM

Hi Polonus,
I also have F.F 1.5.0.6. I clicked on the link you posted in your first post. I saw the pic of the woman, waited for 1 to 2 mins, no crash. Clicked on "More Pictures" link, saw some pictures of a cat and other stuff. Still no crash. This is with "no script" activated and then not activated. Not sure why my F.F. remained stable? Oh well. Thanks for the info. By the way, my javascript WAS inabled in F.F. when doing this.

How did you "deactivate" NoScript extension Neal , Crofty and Cloussau?

TedNelly · « **Reply #13 on:** August 28, 2006, 12:10:31 PM »

Hi M just right click the No-Script Addon in tools/ extensions and select disable
I think thats how it can be done

..::ReVaN::.. · « **Reply #14 on:** August 28, 2006, 12:16:31 PM »

Quote from: tednelly on August 28, 2006, 12:10:31 PM

Hi M just right click the No-Script Addon in tools/ extensions and select disable
I think thats how it can be done

Hi Peter!

I tried that as well.... FF crashes here ... It only passes the test with NoScript turned on(and blocking certain scripts on that site of course).

What results do the rest of you get?

EDIT: Installed NoScript in Flock and got the same results as with FF...

Author Topic: Crash bug in FF 1.5.0.6 (Read 9604 times)

polonus

Crash bug in FF 1.5.0.6

polonus

Re: Crash bug in FF 1.5.0.6

Summoner Yuna

Re: Crash bug in FF 1.5.0.6

Lisandro

Re: Crash bug in FF 1.5.0.6

polonus

Re: Crash bug in FF 1.5.0.6

Summoner Yuna

Re: Crash bug in FF 1.5.0.6

CharleyO

Re: Crash bug in FF 1.5.0.6

neal62

Re: Crash bug in FF 1.5.0.6

..::ReVaN::..

Re: Crash bug in FF 1.5.0.6

crofty59

Re: Crash bug in FF 1.5.0.6

galooma

Re: Crash bug in FF 1.5.0.6

..::ReVaN::..

Re: Crash bug in FF 1.5.0.6

..::ReVaN::..

Re: Crash bug in FF 1.5.0.6

TedNelly

Re: Crash bug in FF 1.5.0.6

..::ReVaN::..

Re: Crash bug in FF 1.5.0.6