Re: Firefox 2.0.0.3 Out-of-bounds memory access via specialy crafted html file

Nothing exciting to report on OS X 10.4 / fully patched / PPC. Kind of 
broke the properties dialog for the link, and used some cpu, but 
definitely caused no crashing.

On WinXP Norton real time protection detected the file in cache as a 
'hack tool.' I disabled that, but Firefox refused to return to the page 
afterward.

 - Andrew

carl hardwick wrote:
> Product: Firefox 2.0.0.3
> Description: Out-of-bounds memory access via specialy crafted html file
> Type: Remote
>
> Vulnerability can be exploited by using a large value in a href tag to
> create an out-of-bounds memory access.
>
> Proof Of Concept exploit:
> http://www.critical.lt/research/opera_die_happy.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>   

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html

Re: Firefox 2.0.0.3 Out-of-bounds memory access via specialy crafted html file

On FF 2.0.0.3 on WinXP SP2+hotfixes clicking the link loads up the
server not found page then CPU shoots up to 100% for ~1 minute and
then everything goes back to normal... not too exciting...

-sb

On 5/1/07, carl hardwick <hardwick.carl <at> gmail.com> wrote:
> Product: Firefox 2.0.0.3
> Description: Out-of-bounds memory access via specialy crafted html file
> Type: Remote
>
> Vulnerability can be exploited by using a large value in a href tag to
> create an out-of-bounds memory access.
>
> Proof Of Concept exploit:
> http://www.critical.lt/research/opera_die_happy.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: Firefox 2.0.0.3 Out-of-bounds memory access via specialy crafted html file

On Tuesday 01 May 2007 10:26, carl hardwick wrote:
> Product: Firefox 2.0.0.3
> Description: Out-of-bounds memory access via specialy crafted html file
> Type: Remote
> 
> Vulnerability can be exploited by using a large value in a href tag to
> create an out-of-bounds memory access.
> 
> Proof Of Concept exploit:
> http://www.critical.lt/research/opera_die_happy.html

    I don't know what this exploit is supposed to do (I assume crash the browser),
but my FF just fires up my CPU and... that's it :) I can close the tab or
click the Home button and everything goes back to normal.
    I have FF 2.0.3 (32bit) running on a 64bit Gentoo.

--

-- 
Mihai

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: Firefox 2.0.0.3 Out-of-bounds memory access via specialy crafted html file

On Tuesday 01 May 2007 10:26:21 carl hardwick wrote:
> Product: Firefox 2.0.0.3
> Description: Out-of-bounds memory access via specialy crafted html file
> Type: Remote
>
> Vulnerability can be exploited by using a large value in a href tag to
> create an out-of-bounds memory access.
>
> Proof Of Concept exploit:
> http://www.critical.lt/research/opera_die_happy.html

Freezes Firefox 2.0.3 on my Linux box. Using Intel drivers fwiw.

/ismail

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: Firefox 2.0.0.3 Out-of-bounds memory access via specialy crafted html file

On 5/1/07, carl hardwick <hardwick.carl <at> gmail.com> wrote:
> Product: Firefox 2.0.0.3
> Description: Out-of-bounds memory access via specialy crafted html file
> Type: Remote
>
> Vulnerability can be exploited by using a large value in a href tag to
> create an out-of-bounds memory access.
>
> Proof Of Concept exploit:
> http://www.critical.lt/research/opera_die_happy.html

This doesn't work in Firefox 2.0.0.3 in Ubuntu 7.04.  This sounds like
it might be another case of mistaken identity with the heap overflow
vulnerability in Nvidia blob drivers for Linux, as this was one way to
exploit it.

--

-- 
Robert Wesley McGrew
http://mcgrewsecurity.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: Firefox 2.0.0.3 Out-of-bounds memory access viaspecialy crafted html file

Exploit works like a charm on FF 2.0.3 on win2k sp4.

Regards,
-Nikolay Kichukov

----- Original Message ----- 
From: "carl hardwick" <hardwick.carl <at> gmail.com>
To: <full-disclosure <at> lists.grok.org.uk>
Sent: Tuesday, May 01, 2007 10:26 AM
Subject: [Full-disclosure] Firefox 2.0.0.3 Out-of-bounds memory access
viaspecialy crafted html file

> Product: Firefox 2.0.0.3
> Description: Out-of-bounds memory access via specialy crafted html file
> Type: Remote
>
> Vulnerability can be exploited by using a large value in a href tag to
> create an out-of-bounds memory access.
>
> Proof Of Concept exploit:
> http://www.critical.lt/research/opera_die_happy.html
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.