Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do we crash systems, browsers, or otherwise bring things to a halt, and how do we protect those things? 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Firefox 3.6.2 DOS CRASH
Posted by: malloci
Date: March 25, 2010 04:28PM

Okay so I have a lame POC (Firefox 3.6.2 Remote Denial of Service Exploit Vulnerability) DOS attack which may be exploitable further? I just wanted to get some feedback and/or ideas from the greater minds available online. Either way if you have time check it out, debug the crash results, and please post any updates or comments. http://cybermediaplanet.com/security/ff3.6/FF3.6-PoC-v1.4.html

Regards,
malloc(i)



Edited 1 time(s). Last edit at 03/26/2010 10:22AM by malloci.

Options: ReplyQuote
Re: Firefox 3.6.2 DOS CRASH
Posted by: malloci
Date: March 25, 2010 04:34PM

By they way I have contacted Mozilla and ZDI; however, the latter(ZDI) had this to say
"The issues that seem to look exploitable could be due to an unchecked return value from an allocation, as malloc(x) will return a null pointer on failure. I haven't confirmed each particular instance of the crash, but due to the variance of the crashes (in that you're hitting more than one bug) and that the crash depends on whether the OS decides to say no to memory allocation it seems like it'd be very difficult to reliably hit a particular test case."
... so there are more then one bug, but they don't want to take the time to look into each issue. That is why I gave the bug to them in the first place I didn't have time to go over ever issue and debug each to check for an exploit (that's not my job?). I just created a simple POC and wanted to make them aware of the bug... oh well, your damned if you do and your damned if you don't.

--Some Debug Output--
(1ce0.3144): C++ EH exception - code e06d7363 (first chance)
(1ce0.3144): C++ EH exception - code e06d7363 (!!! second chance !!!)
eax=086cef6c ebx=094c8600 ecx=00000003 edx=00000000 esi=00a1a880 edi=067fbd90
eip=760fe124 esp=086cef6c ebp=086cefbc iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000206
kernel32!RaiseException+0x58:
760fe124 c9 leave
0:020> g
WARNING: Continuing a non-continuable exception
(1ce0.30f4): C++ EH exception - code e06d7363 (first chance)
(1ce0.3144): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=086cef7c ebx=00000000 ecx=770300d8 edx=00ae6a10 esi=03e6be80 edi=03955760
eip=770300f0 esp=086ceca8 ebp=086ced34 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
ntdll!RtlCriticalSectionLock_DEBUG:
770300f0 0000 add byte ptr [eax],al ds:002b:086cef7c=d8

0:020> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x770300f0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Data Execution Protection (DEP) Violation

Exception Hash (Major/Minor): 0x6d7c626c.0x73327d24

Stack Trace:
ntdll!RtlCriticalSectionLock_DEBUG+0x0
xul!nsXPConnect::WrapNativeToJSVal+0xf2
xul!nsXPConnect::WrapNative+0x3b
xul!nsDOMWorker::InitializeInternal+0xc0
xul!nsDOMWorkerFunctions::NewWorker+0xcc
js3250!js_Invoke+0x423
js3250!js_InvokeConstructor+0x11f
js3250!js_Interpret+0x3f12
js3250!js_Invoke+0x277
xul!nsXPCWrappedJSClass::CallMethod+0x83c
xul!nsXPCWrappedJS::CallMethod+0x38
xul!PrepareAndDispatch+0xe7
xul!SharedStub+0x16
xul!nsDOMWorkerMessageHandler::DispatchEvent+0xd1
xul!nsDOMWorkerScope::DispatchEvent+0x26
xul!nsDOMFireEventRunnable::Run+0x6b
xul!nsDOMWorkerRunnable::RunQueue+0xaf
xul!nsDOMWorkerRunnable::Run+0x58
xul!nsThreadPool::Run+0x168
xul!nsThread::ProcessNextEvent+0x247
xul!NS_ProcessNextEvent_P+0x1b
Instruction Address: 0x00000000770300f0

Description: Data Execution Prevention Violation
Short Description: DEPViolation
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Data Execution Prevention Violation starting at ntdll!RtlCriticalSectionLock_DEBUG+0x0000000000000000 (Hash=0x6d7c626c.0x73327d24)

User mode DEP access violations are exploitable.
0:020> !exchain
086cf990: MOZCRT19!_except_handler4+0 (712ad238)
086cf9e4: ntdll!_except_handler4+0 (77002c41)
Invalid exception stack at ffffffff


malloc(i)



Edited 1 time(s). Last edit at 03/26/2010 11:41AM by malloci.

Options: ReplyQuote


Sorry, only registered users may post in this forum.