Re: [Full-Disclosure] Cross-Platform Browser vulnerabilities - Critical

From: meme-boi (meme-boiat_private)
Date: Sun Jun 08 2003 - 21:40:33 PDT

  • Next message: Andrew Griffiths: "Re: [Full-Disclosure] Linux 2.0 remote info leak from too big icmp citation" 

    -Dan Veditz Mozilla security group member wrote :

>The exploit example you give is not remote command execution but rather a
>violation of the same origin policy.

First off, the example bug I demonstrated:

http://meme-boi.netfirms.com/werd.html

while true it doesn't show remote class loading , is not fixed in 1.4.

I haven't tested 1.3 but I assure you there are serious issues , and the
bug is different , but I'll let you figure that out.


-Dan Veditz  wrote :

>Unless there are additional details you are withholding this same flaw
>was >reported on Bugtraq April 15



Here is some select gdb output from an attached session while
viewing, and executing specially crafted *priva8* ( meaning no soup for you)
meme156 code from remote server:

<snip>

[New Thread 1106058544 (LWP 15390)]
[New Thread 1122508080 (LWP 15391)]
[New Thread 1131003184 (LWP 15392)]
[New Thread 1139535152 (LWP 15393)]
[New Thread 1147927856 (LWP 15394)]
[New Thread 1156320560 (LWP 15395)]
[Thread 1156320560 (LWP 15395) exited]
[Thread 1139535152 (LWP 15393) exited]

Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread 1077855392 (LWP 15388)]
0x4003b9dd in JS_CompileUCFunctionForPrincipals () from /usr/lib/libmozjs.so


(gdb) backtrace
#0  0x4003b9dd in JS_CompileUCFunctionForPrincipals ()
   from /usr/lib/libmozjs.so
#1  0x424bf3d6 in NSGetModule () from
/usr/local/mozilla/components/libjsdom.so#2  0x40d2b203 in NSGetModule ()
   from /usr/local/mozilla/components/libgklayout.so
#3  0x40b52252 in NSGetModule ()
   from /usr/local/mozilla/components/libgklayout.so
#4  0x40b52525 in NSGetModule ()


//noop begins here on Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4)

0xbfffe644:     0x00001000      0x00000011      0x00000064      0x00000003
0xbfffe654:     0x08048034      0x00000004      0x00000020      0x00000005
0xbfffe664:     0x00000006      0x00000007      0x40000000      0x00000008
---Type <return> to continue, or q <return> to quit---
0xbfffe674:     0x00000000      0x00000009      0x08056e20      0x0000000b
0xbfffe684:     0x000001f4      0x0000000c      0x000001f4      0x0000000d
0xbfffe694:     0x00000000      0x0000000e      0x00000000      0x0000000f
0xbfffe6a4:     0xbffffbb4      0x00000000      0x00000000      0x00000000
0xbfffe6b4:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffe6c4:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffe6d4:     0x00000000      0x00000000      0x00000000      0x00000000
0xbfffe6e4:     0x00000000      0x00000000      0x00000000      0x00000000

</snip>

For authentication purposes and further proof of concept that someone(s)
dropped the ball and opened up old and new cans of worms I provide silly
denial of service code that should work on mo , opera and netscape:
http://meme-boi.netfirms.com/modos.html

( this won't work on 2.1.4 based browsers )


-Dan Veditz wrote :

>If instead you'd like to give the whitehats time to fix them details would
>be gratefully received by "security" at "mozilla.org"


I thank you for the invitation , but I am a wal-mart janitor and I don't
have much time for finding bugs so I am saving more interesting methods of
bug harnessing for stalking clearchannel communications employees and
making them pay for forcing the world to listen to justin timberlake.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

    This archive was generated by hypermail 2b30 : Mon Jun 09 2003 - 00:58:56 PDT