__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Mozilla Firefox has a Memory Corruption [Mozilla Bug 371321] February 23, 2007 17:00 GMT Number R-162 ______________________________________________________________________________ PROBLEM: Mozilla Firefox does not properly handle JavaScript onUnload events. PLATFORM: Mozilla Firefox DAMAGE: By coercing a user to view a specially crafted HTML document, an attacker may be able to execute arbitrary code with the privileges of the user. SOLUTION: A patch is pending at this time. When the patch becomes available, upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. By coercing a user to view a specially ASSESSMENT: crafted HTML document, an attacker may be able to execute arbitrary code with the privileges of the user. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-162.shtml ORIGINAL BULLETIN: https://bugzilla.mozilla.org/show_bug.cgi?id=371321 ______________________________________________________________________________ [***** Start Mozilla Bug 371321 *****] Bug 371321 – memory corruption when onUnload is mixed with document.write()s Summary: memory corruption when onUnload is mixed with document.wr... Alias: Status: NEW Severity: critical Keywords: crash, testcase Whiteboard: [sg:critical] URL: http://lcamtuf.coredump.cx/ietrap/testme.html Product: Core Component: Security Version: Trunk Hardware: PC OS: Windows XP Assigned To: Daniel Veditz QA Contact: toolkit@security.bugs Priority: -- Target Milestone: --- Depends on: Blocks: Show dependency tree - Show dependency graph Reported: 2007-02-22 17:35 PST by Michal Zalewski Modified: 2007-02-23 08:41:39 PST (View Bug Activity) Votes: 1 (show) CC: bclary@bclary.com ben.bucksch@beonex.com bugs@jasnapaka.com bugzilla.spam2@grull.com bzbarsky@mit.edu dieter@komendera.com dveditz@cruzio.com gavin.sharp@gmail.com jruderman@gmail.com jst@mozilla.org jwalden+bmo@mit.edu rdmsoft@bugs.rdmsoft.com reed@reedloden.com samuel.sidler@gmail.com sayrer@gmail.com steve.england@gmail.com vimages@well.com -------------------------------------------------------------------------------- Attachments Add an attachment (proposed patch, testcase, etc.) Description Michal Zalewski 2007-02-22 17:35:49 PST Firefox is susceptible to a seemingly pretty nasty, and apparently easily exploitable memory corruption vulnerability. When a location transition occurs and the structure of a document is modified from within onUnload event handler, freed DOM-related memory structures are left in inconsistent state, possibly leading to a remote compromise. A quick test case that crashes while trying to follow corrupted pointers (can be forced to write, too; tested on Windows XP, IA32): http://lcamtuf.coredump.cx/ietrap/testme.html Cheers, /mz Comment #1 Gavin Sharp 2007-02-22 17:41:45 PST Stack: dcdcd20 > JS_ClearScope(cx=0x03ff52a0, obj=0x0521cde0) Line 3220 nsJSContext::ClearScope(aGlobalObj=0x0521cde0, aClearFromProtoChain=1) Line 2971 nsGlobalWindow::ClearWindowScope(aWindow=0x05221028) Line 6433 nsJSContext::ScriptEvaluated(aTerminated=1) Line 3044 nsJSContext::CallEventHandler(aTarget=0x04afeb8c, aScope=0x04af1240, aHandler=0x04b07f00, aargv=0x04802850, arv=0x0012f044) Line 1804 nsJSEventListener::HandleEvent(aEvent=0x04801b70) Line 208 nsEventListenerManager::HandleEventSubType(aListenerStruct=0x04b1fa60, aListener=0x04b1fa10, aDOMEvent=0x04801b70, aCurrentTarget=0x03ff4f70, aPhaseFlags=6) Line 1230 nsEventListenerManager::HandleEvent(aPresContext=0x04b01be8, aEvent=0x0012f39c, aDOMEvent=0x0012f304, aCurrentTarget=0x03ff4f70, aFlags=6, aEventStatus=0x0012f308) Line 1350 nsEventTargetChainItem::HandleEvent(aVisitor={...}, aFlags=6) Line 356 nsEventTargetChainItem::HandleEventTargetChain(aVisitor={...}, aFlags=6, aCallback=0x00000000) Line 433 nsEventDispatcher::Dispatch(aTarget=0x03ff4f70, aPresContext=0x04b01be8, aEvent=0x0012f39c, aDOMEvent=0x00000000, aEventStatus=0x0012f398, aCallback=0x00000000, aTargetIsChromeHandler=0) Line 639 DocumentViewerImpl::PageHide(aIsUnload=1) Line 1261 nsDocShell::FirePageHideNotification(aIsUnload=1) Line 964 nsDocShell::CreateContentViewer(aContentType=0x04809280, request=0x0484a954, aContentHandler=0x047c421c) Line 5705 nsDSURIContentListener::DoContent(aContentType=0x04809280, aIsContentPreferred=1, request=0x0484a954, aContentHandler=0x047c421c, aAbortProcess=0x0012f540) Line 138 nsDocumentOpenInfo::TryContentListener(aListener=0x03fddc48, aChannel=0x0484a954) Line 789 nsDocumentOpenInfo::DispatchContent(request=0x0484a954, aCtxt=0x00000000) Line 488 nsDocumentOpenInfo::OnStartRequest(request=0x0484a954, aCtxt=0x00000000) Line 333 nsHttpChannel::CallOnStartRequest() Line 712 nsHttpChannel::ProcessNormal() Line 883 nsHttpChannel::ProcessResponse() Line 767 nsHttpChannel::OnStartRequest(request=0x0475d298, ctxt=0x00000000) Line 3954 nsInputStreamPump::OnStateStart() Line 434 nsInputStreamPump::OnInputStreamReady(stream=0x048cd2b8) Line 390 nsInputStreamReadyEvent::Run() Line 112 nsThread::ProcessNextEvent(mayWait=1, result=0x0012fbc0) Line 483 NS_ProcessNextEvent_P(thread=0x00b6c438, mayWait=1) Line 225 nsBaseAppShell::Run() Line 153 nsAppStartup::Run() Line 171 XRE_main(argc=5, argv=0x00b6a360, aAppData=0x00403094) Line 2838 main(argc=5, argv=0x00b6a360) Line 61 mainCRTStartup() Line 398 Comment #2 Gavin Sharp 2007-02-22 17:43:09 PST (In reply to comment #1) > Stack: > > dcdcd20 Oops, this is a copy/paste error. Obviously that should be 0xcdcdcd20. Comment #3 Dieter Komendera 2007-02-23 04:18:33 PST This bug also effects Firefox under Linux(Ubuntu). Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1) Gecko/20060601 Firefox/2.0.0.1 (Ubuntu-edgy) [***** End Mozilla Bug 371321 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Mozilla for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-151: GnomeMeeting Security Update R-152: KOffice Security Update R-153: Cisco Unified IP Conference Station and IP Phone Vulnerabilities R-154: Multiple Vulnerabilities in 802.1X Supplicant R-156: Buffer Overflow in ServerProtect R-157: Macrovision FLEXnet Connect / InstallShield Update Service Agent R-158: VeriSign Managed PKI Configuration Checker R-159: Macrovision / InstallShield InstallFromTheWeb R-160: McAfee Virex Vulnerability R-161: Stack Overflow in Third-Party ActiveX Controls