Re: [Full-disclosure] Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)

To: Richard Moore <rich@xxxxxxxxxxxxxxxx>
Subject: Re: [Full-disclosure] Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)
From: Michal Zalewski <lcamtuf@xxxxxxxxxxxx>
Date: Tue, 27 Feb 2007 14:29:11 +0100 (CET)
Cc: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, security@xxxxxxxxxxx
In-reply-to: <45E42FCC.9030508@xxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <Pine.LNX.4.58.0702230229090.21707@dione> <45E1BA08.7090901@xxxxxxxxxx> <122827b90702250857k7bcaac7eo6757fb1c45f95c2e@xxxxxxxxxxxxxx> <Pine.LNX.4.58.0702252330330.21707@dione> <45E42FCC.9030508@xxxxxxxxxxxxxxxx>

On Tue, 27 Feb 2007, Richard Moore wrote:

> <html>
> <body onunload="location = self.location">
> <a href="http://slashdot.org/";>http://slashdot.org/</a>
> </body>
> </html>

Yeah, and the other way round: http://lcamtuf.coredump.cx/ietrap/, when
used with FF 2.0.0.2, puts you on a page that:

  1) Has URL bar data and favicon from the target site,
  2) Views source of what you added with document.write(),
  3) Displays as blank.

Moreover, repeatedly setting document.location = "xxx"; on departure may
land you at slashdot.org/xxx instead (meaning the update is being
performed in the context of the new page).

Although this looks like a Really Bad Thing (tm), I didn't succeed in
modifying /ietrap/ to display a malicious payload (though feels like it's
sooo close), nor in manipulating DOM in the latter example to do anything
other than annoying the user (because 2.0.0.1 kept crashing ;-). Still,
I'm not gonna sleep well until this is fixed.

/mz

References:
- Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)
  - From: Michal Zalewski
- Re: [Full-disclosure] Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)
  - From: Daniel Veditz
- Re: [Full-disclosure] Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)
  - From: Stan Bubrouski
- Re: [Full-disclosure] Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)
  - From: Michal Zalewski

Prev by Date: Re: [Full-disclosure] ViewCVS 0.9.4 issues
Next by Date: Wordpress 2.1.1 - Multiple Script Injection Vulnerabilities
Previous by thread: Re: [Full-disclosure] Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)
Next by thread: [ MDKSA-2007:048 ] - Updated php packages fix multiple vulnerabilities
Index(es):
- Date
- Thread