[BuHa-Security] DoS Vulnerability in Firefox <= 1.0.7

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: [BuHa-Security] DoS Vulnerability in Firefox <= 1.0.7
From: bugtraq@xxxxxxxxxxxx
Date: 20 Feb 2006 18:34:43 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

 ---------------------------------------------------
| BuHa Security-Advisory #8     |    Feb 15th, 2006 |
 ---------------------------------------------------
| Vendor   | Mozilla Firefox                        |
| URL      | http://www.mozilla.com/firefox/        |
| Version  | <= 1.0.7                               |
| Risk     | Low (DoS - Null Pointer Dereference)   |
 ---------------------------------------------------

This issue was originally (?) discovered by Yuan Qi who posted it on
Bugzilla [1] on 11th November 2004 [2]. I rediscovered this
vulnerability on 1st October 2005 and reported it several weeks later
to the Mozilla Software Foundation [3] because I did not find any
advisory or bugzilla post about this problem..

I decided to release an advisory about this DoS vulnerability, even
though it's an old issue.

o Description:
=============

The award-winning Web browser is better than ever. Browse the Web
with confidence - Firefox protects you from viruses, spyware and
pop-ups. Enjoy improvements to performance, ease of use and privacy.

Visit http://www.mozilla.com/firefox/ for detailed information.

o Denial of Service:
===================

Following HTML code forces Firefox to crash:
> <frameset></frameset>
> <table><p><form><map><dl><table><small>

Online-demo:
http://morph3us.org/security/pen-te...8143204906.html

The access violation results in a null pointer dereference and is not
exploitable.

o Vulnerable versions:
=====================

The DoS vulnerability was successfully tested on:
> Firefox 1.0.7 - GNU/Linux (Gentoo, Slackware, Debian)
> Firefox 1.0.7 - Solaris
> Firefox 1.0.7 - Windoze 2k / XP SP2
> Firefox 1.0.6 - XP SP2
> Firefox 1.0.4 - GNU/Linux (Gentoo, Slackware, Debian)
> Firefox 1.0.4 - XP SP2
> Firefox 1.0.1 - XP SP2
> Firefox 1.0.0 - XP SP2

o Disclosure Timeline:
=====================

01 Oct 05 - DoS vulnerability discovered.
15 Dec 05 - Vendor contacted.
17 Dec 05 - Vendor confirmed vulnerability.
15 Feb 06 - Public release.

o Solution:
==========

Upgrade to Firefox 1.5.0.1.

o Credits:
=========

Thomas Waldegger <bugtraq@xxxxxxxxxxxx>
BuHa-Security Community - http://buha.info/board/

If you have questions, suggestions or criticism about the advisory feel
free to send me a mail. The address 'bugtraq@xxxxxxxxxxxx' is more a
spam address than a regular mail address therefore it's possible that I
ignore some mails. Please use the contact details at http://morph3us.org/
to contact me.

Greets fly out to cyrus-tc, destructor, nait, trappy and all members
of BuHa.

Advisory online:
http://morph3us.org/advisories/20060215-firefox-107.txt

[1] https://bugzilla.mozilla.org/
[2] https://bugzilla.mozilla.org/show_bug.cgi?id=269095
[3] https://bugzilla.mozilla.org/show_bug.cgi?id=320463


-----BEGIN PGP SIGNATURE-----
Version: n/a
Comment: http://morph3us.org/

iD8DBQFD8tg/kCo6/ctnOpYRAz27AJsE1EcyIycMA5XdDnHMJDdhPPk0uQCeK7DX
H+dtwjsf4nkXuHrPR1wFZZM=
=IUWt
-----END PGP SIGNATURE-----

Prev by Date: [AJECT] TrueNorth IA eMailserver 5.3.4 buffer overflow vulnerability
Next by Date: [USN-255-1] openssh vulnerability
Previous by thread: [AJECT] TrueNorth IA eMailserver 5.3.4 buffer overflow vulnerability
Next by thread: [USN-255-1] openssh vulnerability
Index(es):
- Date
- Thread