Critacal flaw in Mozilla based browsers

[Faram]

Proof of consept

Bad mozilla BAD

Mozilla
Firefox
Netscape

Is at risk.

[Archaic`]

They dropped the ball bad with this one. Hopefully there'll be an urgent security update soon.

[Terr Fangbite]

Windows crashed Mozilla when I tried running the script. Repeatedly. Funny that.

[Praxis]

Weird. It worked, showing some sites I had just been to. I clicked a couple more times and suddenly Firefox crashed.

[Guy N. Cognito]

Hmmmm.... this isn't good. Luckily I disable external access to my computer when it isn't in use. Still disconcerting though.

[Master of Ossus]

All you have to do is disable JAVA scripting, which is pretty easy with Mozilla (I had actually already done it).

[GrandMasterTerwynn]

Weird. It worked, showing some sites I had just been to. I clicked a couple more times and suddenly Firefox crashed.

Yep. That's what happens when you try to access memory that doesn't belong to you. Seg. fault/core dump.

This is an appallingly bad security bug.

[Dalton]

Crashed my browser too

[Dooey Jo]

Here's the code that does it (except those three Xs should actually be 10 000) :

Code: Select all

function genGluck(str){
	var x = str;
	var rx=/end/i;
	x = x.replace(rx,function($1){
		$1.match(rx);
		return "";
	});
	x = x.replace(/^end/,"");
	return x;
}


function readMemory()
{
	var mem = genGluck("XXXend");

	mem = mem.replace(/[^\.\\\:\/\'\(\)\"\_\?\=\%\&\;\#\@\- a-zA-Z0-9]+/g, " ");

	document.getElementById('result').value = mem;

}

Now, how the hell does that work? That first regexp up there should replace "end" with nothing, right? And the second regexp replaces all "end" with something before with nothing, so all that basically does is removes that last "end". And that last, mem.replace, should replace most readable characters with a blank space, so why does it write characters from the memory?

This seems to be almost as weird as the time when IE started hating my if-s (which was very weird, but then again, it was IE...)

[Spacebeard]

Now, how the hell does that work? That first regexp up there should replace "end" with nothing, right? And the second regexp replaces all "end" with something before with nothing, so all that basically does is removes that last "end". And that last, mem.replace, should replace most readable characters with a blank space, so why does it write characters from the memory?

The last regexp is doing the reverse of what you say: it's keeping only the human-readable characters, and replacing unprintable characters with a space. Note the '^' at the front of the set; it's matching characters in the complement of that set.

The bug is exploited in the 'genGluck' function. I'm not familiar with Javascript, but it looks as though by using a lambda function as the argument to 'replace' as they do, they are able to read off the end of their allocated string and into the heap. Probably the memory accessible to them depends on where in the heap their string got allocated.

Until there is a fix available, I would turn off Javascript as much as possible, turning it on only for sites that demand the use of it. I would also quit the browser and relaunch after viewing or entering sensitive information.

[Dooey Jo]

Javascript can be very useful, too. Most websites would be a lot less functional without it (for most people anyway). It sucks though that there are people out there that use it to do bad stuff, but I guess that's just the way humans are. Someone comes up with a great idea and someone else have to use it do annoy the shit out of others...

The last regexp is doing the reverse of what you say: it's keeping only the human-readable characters, and replacing unprintable characters with a space. Note the '^' at the front of the set; it's matching characters in the complement of that set.

Ah yes, right you are! *cleans glasses*

The bug is exploited in the 'genGluck' function. I'm not familiar with Javascript, but it looks as though by using a lambda function as the argument to 'replace' as they do, they are able to read off the end of their allocated string and into the heap. Probably the memory accessible to them depends on where in the heap their string got allocated.

Yes, that is what I find strange. That function should just replace the match with nothing, it should not make memory accessible. Well, I guess that's why it's a bug...

[Natorgator]

That's odd. I have Firefox and clicked that test repeatedly but no crash.

I guess that's a good thing, though

[Avalon616]

I'm sure some of you already know this, but Mozilla is already working on the patch (ver. 1.0.3) which should be out in a couple days...

See here.

[The Dark]

*shrug* I don't have Java installed for my Firefox anyway (at least, I don't think I do). I still use IE for Java work because the webpages I work on recognize my copy of it. I wonder if ZoneAlarm blocks that security hole...

[Uraniun235]

*shrug* I don't have Java installed for my Firefox anyway (at least, I don't think I do). I still use IE for Java work because the webpages I work on recognize my copy of it. I wonder if ZoneAlarm blocks that security hole...

Java is not the same as JavaScript.

[The Dark]

*shrug* I don't have Java installed for my Firefox anyway (at least, I don't think I do). I still use IE for Java work because the webpages I work on recognize my copy of it. I wonder if ZoneAlarm blocks that security hole...

Java is not the same as JavaScript.

Doh! . I can't read today. That's what comes of reading through multiple things at work, none of them get read completely correct.

[phongn]

Javascript can be very useful, too. Most websites would be a lot less functional without it (for most people anyway). It sucks though that there are people out there that use it to do bad stuff, but I guess that's just the way humans are. Someone comes up with a great idea and someone else have to use it do annoy the shit out of others...

For example, both Google Maps and Gmail heavily use JavaScript. The technology is generically known as Ajax, or "Asynchronous JavaScript + XML."