[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Uninit memory disclosure via truncated images in Firefox

To: bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] Uninit memory disclosure via truncated images in Firefox
From: Michal Zalewski <lcamtuf@xxxxxxxxxxx>
Date: Tue, 2 Sep 2014 18:30:20 -0700

Yello,

The recent release of Firefox 32 fixes another interesting image
parsing issue found by afl [1]: following a refactoring of memory
management code, the past few versions of the browser ended up using
uninitialized memory for certain types of truncated images, which is
easily measurable with a simple <canvas> + toDataURL() harness that
examines all the fuzzer-generated test cases.

Depending on a variety of factors, problems like that may leak secrets
across web origins, or more prosaically, may help attackers bypass
security measures such as ASLR. Here's a short proof-of-concept that
should work if you haven't updated to 32 yet:

http://lcamtuf.coredump.cx/ffgif/

This is tracked as CVE-2014-1564, Mozilla bug 1045977, MFSA 2014-69.

[1] http://code.google.com/p/american-fuzzy-lop/

PS. Mildly interesting:
http://www.chromium.org/Home/chromium-security/client-identification-mechanisms

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Syslog LogAnalyzer persistent XSS injection CVE-2014-6070
Next by Date: Re: [FD] Mogwai Security Advisory MSA-2014-01: ManageEngine EventLog Analyzer Multiple Vulnerabilities
Previous by thread: [FD] Syslog LogAnalyzer persistent XSS injection CVE-2014-6070
Next by thread: [FD] Advanced Access Manager allows admin users to write arbitrary files and execute arbitrary php (WordPress plugin)
Index(es):
- Date
- Thread