| 01 |
02 |
03 |
04 |
05 |
06 |
07 |
08 |
09 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
21 |
22 |
23 |
24 |
25 |
26 |
27 |
28 |
29 |
30 |
31 |
25-Jan-2010 [11:34] -- Firefox 3.6 vulnerability... exploitable?
I was reading the RSS feeds I am subscribed to and found this
Firefox 3.6 proof of concept.
A brief scan on the poc looks like an invalid xml file with 30k nested children...
Once I was sure the PoC was clean with no malicious code, I opened windbg and tested it.
Crash is as follows:
xul!NS_Realloc_P+0x3f63:
61b11333 53 push ebx
0:000> r
eax=00000000 ebx=0e45b800 ecx=0d252680 edx=0d926490 esi=00000000 edi=0d86fb48
eip=61b11333 esp=00052ffc ebp=00000000 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
xul!NS_Realloc_P+0x3f63:
61b11333 53 push ebx
0:000> kPn
# ChildEBP RetAddr
00 00000000 00000000 xul!NS_Realloc_P+0x3f63
0:000> q
It is a stack recursion bug... so I do not think we should consider this more than a client side DoS.
Fermin J. Serna - @fjserna
Comments (0)
