Re: [Full-disclosure] Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)

To: Stan Bubrouski <stan.bubrouski@xxxxxxxxx>
Subject: Re: [Full-disclosure] Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)
From: Michal Zalewski <lcamtuf@xxxxxxxxxxxx>
Date: Sun, 25 Feb 2007 23:40:53 +0100 (CET)
Cc: Daniel Veditz <dveditz@xxxxxxxxxx>, full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, security@xxxxxxxxxxx
In-reply-to: <122827b90702250857k7bcaac7eo6757fb1c45f95c2e@xxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <Pine.LNX.4.58.0702230229090.21707@dione> <45E1BA08.7090901@xxxxxxxxxx> <122827b90702250857k7bcaac7eo6757fb1c45f95c2e@xxxxxxxxxxxxxx>

On Sun, 25 Feb 2007, Stan Bubrouski wrote:

>>>   http://lcamtuf.coredump.cx/ietrap/testme.html
>> This bug was fixed in 2.0.0.2, released Friday Feb 23.
> No it most certainly wasn't, do your homework next time.

Actually, the story is kinda funny, but yeah, it seems that it's fixed
now.

The story: I reported the problem a day before 2.0.0.2 was to be released.
Mozilla dev team looked into this, but - if I understand correctly -
decided to go on with 2.0.0.2 as planned, without a fix for this vuln,
then follow up with a quick release of 2.0.0.3 to address the problem.
This seemed like a sane decision - 2.0.0.2 had been postponed previously,
so there seemed to be no point in holding back.

When 2.0.0.2 went live, some devs noticed that it doesn't crash with my
testcase, though it still crashes trunk builds. After a brief moment of
confusion, they determined that a fix for an unrelated, obscure
non-security bug 364692 had altered the behavior this vulnerability
depended on, accidentally rendering 2.0.0.2 not vulnerable to the attack.

This was then fixed on trunk, and voila. I can't really comment on whether
this fixes the problem once and for all, because I haven't really examined
the changes implemented for 364692, but yeah, my example no longer crashes
the browser for me.

/mz

References:
- Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)
  - From: Michal Zalewski
- Re: [Full-disclosure] Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)
  - From: Daniel Veditz
- Re: [Full-disclosure] Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)
  - From: Stan Bubrouski

Prev by Date: SQLiteManager v1.2.0 Multiple Vulnerabilities
Next by Date: Re: ActiveCalendar 1.2.0, Multiple vulnerabilities
Previous by thread: Re: [Full-disclosure] Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)
Next by thread: Re: [Full-disclosure] Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)
Index(es):
- Date
- Thread