| New User, Welcome! Login |
Mozilla Firefox 3.5
versions (and potentially next versions).
P.S.
Also I wrote to Ruben Reguero two days ago, and told him that it was strange
that in Firefox 3.5 he had no problems (with this exploit). And maybe he has
last Firefox 3.5.1. After that he answered me and confirmed it.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
Hello Bugtraq!
I want to warn you about Denial of Service vulnerabilities in Firefox,
Internet Explorer, Opera and Chrome.
Recently buffer overflow vulnerability in Mozilla Firefox 3.5 was found by
Andrew Haynes and Simon Berry-Byrne (http://websecurity.com.ua/3337/). After
I checked at 16.07.2009 this vulnerability in different browsers, I found
that this Denial of Service vulnerability also exists in Firefox 3.0.11,
Internet Explorer 6 and Opera 9.52 (and later also in Chrome 2.0.172).
Hello Bugtraq!
I want to warn you about Denial of Service vulnerabilities in Firefox,
Internet Explorer, Opera and Chrome.
Recently buffer overflow vulnerability in Mozilla Firefox 3.5 was found by
Andrew Haynes and Simon Berry-Byrne (http://websecurity.com.ua/3337/). After
I checked at 16.07.2009 this vulnerability in different browsers, I found
that this Denial of Service vulnerability also exists in Firefox 3.0.11,
Internet Explorer 6 and Opera 9.52 (and later also in Chrome 2.0.172).
> Hello Bugtraq!
>
> I want to warn you about Denial of Service vulnerabilities in Firefox,
> Internet Explorer, Opera and Chrome.
>
> Recently buffer overflow vulnerability in Mozilla Firefox 3.5 was found by
> Andrew Haynes and Simon Berry-Byrne (http://websecurity.com.ua/3337/).
> After
> I checked at 16.07.2009 this vulnerability in different browsers, I found
> that this Denial of Service vulnerability also exists in Firefox 3.0.11,
> Internet Explorer 6 and Opera 9.52 (and later also in Chrome 2.0.172).
===============================ADVISORY===============================
Name: Autocomplete Data Theft in Mozilla Firefox
Systems Affected: Mozilla Firefox 3.5, Mozilla Firefox 3.0
Severity: Moderate
Category: Data Leakage
Author: Context Information Security Ltd
Advisory: 4 November 2009
CVE: CVE-2009-3370
===========================================================
Ubuntu Security Notice USN-874-1 December 18, 2009
firefox-3.5, xulrunner-1.9.1 vulnerabilities
CVE-2009-3388, CVE-2009-3389, CVE-2009-3979, CVE-2009-3980,
CVE-2009-3982, CVE-2009-3983, CVE-2009-3984, CVE-2009-3985,
CVE-2009-3986
===========================================================
A security issue affects the following Ubuntu releases:
===========================================================
Ubuntu Security Notice USN-853-2 November 11, 2009
firefox-3.5, xulrunner-1.9.1 regression
https://launchpad.net/bugs/480740
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 9.10
Affected: 2010.0
_______________________________________________________________________
Problem Description:
Security issues were identified and fixed in firefox 3.5.x:
liboggplay in Mozilla Firefox 3.5.x before 3.5.6 and SeaMonkey before
2.0.1 might allow context-dependent attackers to cause a denial of
service (application crash) or execute arbitrary code via unspecified
vectors, related to memory safety issues. (CVE-2009-3388)
feed aggregator services (e.g. Feed Demon). The vulnerability arises from
the fact that it is not expected of RSS readers to render scripted content.
I want to extend that research by doing threat analysis on inbuilt feed
readers offered in most modern browsers. I have found Google Chrome (v2,3)
and Opera (v9,v10) to be vulnerable, while Internet Explorer(v7,8), Firefox
3.5 and Safari 4 are resilient to the exploits mentioned below.
IV. DESCRIPTION
-------------------------
Google Chrome and Opera’s inbuilt RSS/ATOM Reader renders untrusted
javascript in an RSS/ATOM feed.
===========================================================
Ubuntu Security Notice USN-853-1 October 31, 2009
firefox-3.0, firefox-3.5, xulrunner-1.9, xulrunner-1.9.1 vulnerabilities
CVE-2009-1563, CVE-2009-3274, CVE-2009-3370, CVE-2009-3371,
CVE-2009-3372, CVE-2009-3373, CVE-2009-3374, CVE-2009-3375,
CVE-2009-3376, CVE-2009-3377, CVE-2009-3380, CVE-2009-3381,
CVE-2009-3382, CVE-2009-3383
===========================================================
A security issue affects the following Ubuntu releases:
===========================================================
Ubuntu Security Notice USN-896-1 February 17, 2010
firefox-3.5, xulrunner-1.9.1 vulnerabilities
CVE-2009-1571, CVE-2009-3988, CVE-2010-0159, CVE-2010-0160,
CVE-2010-0162
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 9.10
===========================================================
Ubuntu Security Notice USN-921-1 April 09, 2010
firefox-3.5, xulrunner-1.9.1 vulnerabilities
CVE-2010-0173, CVE-2010-0174, CVE-2010-0175, CVE-2010-0176,
CVE-2010-0177, CVE-2010-0178, CVE-2010-0179, CVE-2010-0181,
CVE-2010-0182
===========================================================
A security issue affects the following Ubuntu releases:
===========================================================
Ubuntu Security Notice USN-878-1 January 08, 2010
firefox-3.5, xulrunner-1.9.1 regression
https://launchpad.net/bugs/504516
===========================================================
A security issue affects the following Ubuntu releases:
Ubuntu 9.10
other Mozilla-based products. Some of these crashes showed evidence
of memory corruption under certain circumstances and we presume that
with enough effort at least some of these could be exploited to run
arbitrary code. Vladimir Vukicevic, Jesse Ruderman, Martijn Wargers,
Daniel Banchero, David Keeler, and Boris Zbarsky reported crashes
in the browser engine which affected both Firefox 3 and Firefox 3.5
(CVE-2009-3380). Carsten Book reported a crash in the browser engine
which affected only Firefox 3 (CVE-2009-3382).
This update provides the latest Mozilla Firefox 3.0.x to correct
these issues.
other Mozilla-based products. Some of these crashes showed evidence
of memory corruption under certain circumstances and we presume that
with enough effort at least some of these could be exploited to run
arbitrary code. Vladimir Vukicevic, Jesse Ruderman, Martijn Wargers,
Daniel Banchero, David Keeler, and Boris Zbarsky reported crashes
in the browser engine which affected both Firefox 3 and Firefox 3.5
(CVE-2009-3380). Carsten Book reported a crash in the browser engine
which affected only Firefox 3 (CVE-2009-3382).
This update provides the latest Mozilla Firefox 3.0.x to correct
these issues.
with the new versions/builds and according to tickets filled
under the bugzilla ID the impact of this bug has changed since
version 3.5. [1]
Hence the list of affected products now is :
- All versions below Firefox 3.5
[1]
--- Comment #28 from PBForeman <dufalcon@yahoo.com> 2009-07-08 09:14:00 PDT ---
When FF3.5 is open, cpu eventually runs 99%, using over 100,000K of memory.
Closing FF does not stop the cpu or memory usage. Closing with Task Manager is
> ________________________________________________________________________
> IV. Proof of concept
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> URL: http://www.crashthisthing.com/select.html
I accessed the above URL, followed its instructions, using firefox 3.5
as shipped by Fedora 11 (firefox-3.5-1.fc11.i586), and experienced
none of the stated issues. Business as usual.
32 bit system on an Intel P4 1.8GHz, 1 GB RAM, Fedora 11 with all
current updates as of July/15/09.
And here vulnerabilities have been not only in the browser but also in plug-ins.
Bank-clients, business software, antivirus software – all of them use ActiveX (for IE)
for clients and here have been and are still many vulnerabilities.
Vendors make steps to defend us from it. Software vendors patch vulnerabilities and OS vendors
use new mechanisms to prevent attacks at all. But security researchers are trying to find way to bypass these mechanisms.
The new versions of browsers (Internet Explorer 8 and FireFox 3.5) use permanent DEP.
And the new versions of OS use the ASLR mechanism. All this makes the old methods of attacks impossible.
But on BlackHat DC 2010 the interesting way to bypass DEP and ASLR in browsers (not only)
and Just-In-Time compilers was presented. This method is called JIT-SPRAY. But here was no one public PoC until now.
In this text we are describe how to write a shellcode for new JIT-Spray attacks and make universal STAGE 0 shellcode
#############
Test
#############
I test it in ie8, firefox 3.5.3 and safari 4
in all cases the xss is executed include ie8 with xss filter :D
a remote user can compose a html document
with a iframe and this source for the iframe:
>> ________________________________________________________________________
>> IV. Proof of concept
>> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>> URL: http://www.crashthisthing.com/select.html
RD> I accessed the above URL, followed its instructions, using firefox 3.5
RD> as shipped by Fedora 11 (firefox-3.5-1.fc11.i586), and experienced
RD> none of the stated issues. Business as usual.
RD> 32 bit system on an Intel P4 1.8GHz, 1 GB RAM, Fedora 11 with all
RD> current updates as of July/15/09.
|
|
|
