Page 1 of 2 12 LastLast
Results 1 to 15 of 19

Thread: Mozilla Products Arbitrary Memory Exposure Test

  1. #1
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506

    Mozilla Products Arbitrary Memory Exposure Test

    Introduction

    A vulnerability has been discovered in various Mozilla products, which can be exploited by malicious people to gain knowledge of potentially sensitive information.

    Please see the test below for an example of how this vulnerability can be exploited.

    Test Case / Demonstration

    Click the link below in order to test whether or not your system is vulnerable. The test will read arbitrary memory and display most of the printable characters from the memory chunk.

    Each time you click the link below, 10 kilobyte of memory will be read and most printable characters will be displayed below.

    full story

    Below is an example of what can be found. new results and info with each click.

    Code:
     ' 4 w A ' ; W 5 5 V : ; = : E 5 V : V 5 V 5 5 V V 6 d 1 mousedown m 5 T 6 5 5 W V 5 D V 5 m   5 T 6 5 5 W V 5 D V 5 m 5 T 6 5 5 W V 5 D V 5 V  nt /w /   3 m 5 T 6 5 5 W V 5 D V 5 D m 5 T 6 5 5 W V 5 D V 5 1' Are you sure you want to delete this security module? Unable to delete module sInternal security module successfully deleted sExternal security module successfully deleted 1 You should make a password-protected backup copy of your new security certificate and its associated private key. 2 If you ever lose access to your private key by forgetting your personal security password  or by experiencing file corruption  you can restore this private key and certificate from this backup copy. 3 To make a copy  click OK. If possible  you should save your backup copy on a floppy disk that you keep in a safe location. r (Unknown Issuer) (Unknown Organization) e%S = %S dYou cannot connect to %S because SSL is disabled. You cannot connect to %S because SSL version 2 is disabled. %S and %S cannot communicate securely because they have no common encryption algorithms. 3 A I wm arial ao_sut ' : P " " / 7 a " showthread.php?mode=hybrid&t=14832 parentNode 0 . ) return imwindow('yahoo'  '232'  400  200) ' 9 serif a & tahoma verdana geneva lucida 'lucida grande' arial helvetica sans-serif serif & p #p verdana geneva lucida 'lucida grande' arial helvetica sans-serif serif robat XML Data Package # removeAllRanges ( o L
    Last edited by egghead; April 14th, 2005 at 13:42 PM.
    ------------------------------------------------------------



  2. #2
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    Mozilla Firefox JavaScript Engine Information Disclosure Vulnerability
    Secunia Advisory:SA14820 Release Date:2005-04-04Last Update:2005-04-13
    Critical:
    Moderately critical

    Impact:
    Exposure of system information
    Exposure of sensitive information
    Where:From remote
    Solution Status:Unpatched
    Software:Mozilla Firefox 0.x
    Mozilla Firefox 1.x


    Select a product and view a complete list of all Patched/Unpatched Secunia advisories affecting it.
    CVE reference:CAN-2005-0989

    Description:
    A vulnerability has been discovered in Mozilla Firefox, which can be exploited by malicious people to gain knowledge of potentially sensitive information.

    The vulnerability is caused due to an error in the JavaScript engine, as a "lambda" replace exposes arbitrary amounts of heap memory after the end of a JavaScript string.

    Successful exploitation may disclose sensitive information in memory.

    Secunia has constructed a test, which can be used to check if your browser is affected by this issue:
    http://secunia.com/mozilla_products_...exposure_test/

    The vulnerability has been confirmed in versions 1.0.1 and 1.0.2. Other versions may also be affected.

    Solution:
    Disable JavaScript support.

    Provided and/or discovered by:
    Azafran

    Changelog:
    2005-04-13: Added CVE reference.

    Original Advisory:
    Mozilla bug report:
    https://bugzilla.mozilla.org/show_bug.cgi?id=288688

    Azafran:
    http://cubic.xfo.org.ru/index.cgi?read=53004


    Please note: The information, which this Secunia Advisory is based upon, comes from third party unless stated otherwise.

    Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.



    Lovely - egghead
    ------------------------------------------------------------



  3. #3
    Super Moderator Super Moderator Big Booger's Avatar
    Join Date
    Apr 2002
    Location
    JAPAN
    Posts
    10,660
    Quote Originally Posted by egghead
    Introduction

    A vulnerability has been discovered in various Mozilla products, which can be exploited by malicious people to gain knowledge of potentially sensitive information.

    Please see the test below for an example of how this vulnerability can be exploited.

    Test Case / Demonstration

    Click the link below in order to test whether or not your system is vulnerable. The test will read arbitrary memory and display most of the printable characters from the memory chunk.

    Each time you click the link below, 10 kilobyte of memory will be read and most printable characters will be displayed below.

    full story

    Below is an example of what can be found. new results and info with each click.

    Code:
     ' 4 w A ' ; W 5 5 V : ; = : E 5 V : V 5 V 5 5 V V 6 d 1 mousedown m 5 T 6 5 5 W V 5 D V 5 m   5 T 6 5 5 W V 5 D V 5 m 5 T 6 5 5 W V 5 D V 5 V  nt /w /   3 m 5 T 6 5 5 W V 5 D V 5 D m 5 T 6 5 5 W V 5 D V 5 1' Are you sure you want to delete this security module? Unable to delete module sInternal security module successfully deleted sExternal security module successfully deleted 1 You should make a password-protected backup copy of your new security certificate and its associated private key. 2 If you ever lose access to your private key by forgetting your personal security password  or by experiencing file corruption  you can restore this private key and certificate from this backup copy. 3 To make a copy  click OK. If possible  you should save your backup copy on a floppy disk that you keep in a safe location. r (Unknown Issuer) (Unknown Organization) e%S = %S dYou cannot connect to %S because SSL is disabled. You cannot connect to %S because SSL version 2 is disabled. %S and %S cannot communicate securely because they have no common encryption algorithms. 3 A I wm arial ao_sut ' : P " " / 7 a " showthread.php?mode=hybrid&t=14832 parentNode 0 . ) return imwindow('yahoo'  '232'  400  200) ' 9 serif a & tahoma verdana geneva lucida 'lucida grande' arial helvetica sans-serif serif & p #p verdana geneva lucida 'lucida grande' arial helvetica sans-serif serif robat XML Data Package # removeAllRanges ( o L

    That FULL STORY link killed my browser.. I didn't see any code executed though. Is the code supposed to crash the browser?

  4. #4
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    Quote Originally Posted by Big Booger
    That FULL STORY link killed my browser.. I didn't see any code executed though. Is the code supposed to crash the browser?
    weird

    the full story is a link to secunia. on the page is a link that is a simple javascript and an empty box. when you click the java link it fills the box with lots of interesting information. It should not crash your browser. I only tried it in firefox
    ------------------------------------------------------------



  5. #5
    Super Moderator Super Moderator Big Booger's Avatar
    Join Date
    Apr 2002
    Location
    JAPAN
    Posts
    10,660
    Quote Originally Posted by egghead
    weird

    the full story is a link to secunia. on the page is a link that is a simple javascript and an empty box. when you click the java link it fills the box with lots of interesting information. It should not crash your browser. I only tried it in firefox
    Yeah I was talking about the link that is supposed to generate that code. It just crashed my browser.. really odd.

  6. #6
    Bronze Member Zak8022's Avatar
    Join Date
    Nov 2004
    Location
    Baltimore. MD
    Posts
    134
    weird... didnt have any negative effect on my browser.

  7. #7
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,415
    All I see is a bunch of nonsense

    % # " g Z C -1 f & DTD/ C e K K i new c q )H d c A d ir T T 6 5 5 W V 5 D V 5 ( F e 5 T V )) #

  8. #8
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    Quote Originally Posted by lynchknot
    All I see is a bunch of nonsense
    Did you read what mine said? some weird stuff. if you press the button more times it starts pulling things from your bookmarks and other information that should make you go hmm????

    Zak8022, what browser are you using? My understanding is that this is a java flaw and the only fix is to turn off javascript.

    whould love to hear what curio thinks about this

    lynchknot, keep pressing and see if it starts pulling info you don't know where its getting it from.....
    ------------------------------------------------------------



  9. #9
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,415
    ok I but still does not make sense - perhaps DaVinci code here:

    f _ a b 3 c 3 d e 3 f 3 h ing 2 2 2 1 1 P 3 3 3 3 3 3 3 " # 3 r 1 0 ; ; = T = T = T = : 8 X ; : 5 = W ; : 5 V W V = EGGHEAD IS A PERVERT W V = W V ; : V ; : V ; : V ; : V V ; : V l m ; 6 ; 6 ; 6 ; 6 ; 6 u 8 509e6ffb81965b83d99a2c7be085635c : @ s % c 5 72 o K o K K I x x x x x x x x x \ m 5 T 6 5 5 W V 5 D V 5 c m 5 T 6 5 5 W V 5 D V 5 m 5 T 6 5 5 W V 5 D V 5 m 5 T 6 5 5 W V 5 D V 5 m 5 T 6 5 5 W V 5 D V 5 y m 5 T 6 5 5 W V 5 D V 5 & m 5 T 6 5 5 W V 5 D V 5 e m 5 T 6 5 5 W V 5 D V 5 m 5 T 6 5 5 W V 5 D V 5 A A m 5 T 6 5 5 W V 5 D V 5 m 5 T 6 5 5 W V 5 D V 5 m 5 T 6 5 5 W V 5 D V 5 m 5 T 6 5 5 W V 5 D V 5 m 5 T 6 5 5 W V 5 D V 5 m 5 T 6 5 5 W V 5 D V 5 a : m 5 T 6 5 5 W V 5 D V 5 m 5 T 6 5 5 W V 5 D V 5 m 5 T 6 5 5 W V 5 D V 5 m 5 T 6 5 5 W V 5 D V 5 u javascript:readMemory(); javascript:readMemory(); javascript:readMemory(); ; ro javascript l E ; Y 0 0 W E A 5 ( A . 0 5 . 0 % " 7 I 7 V 7 E C Y E k m 5 T 6 5 5 W V 5 D V 5 m 5 T 6 5 5 W V 5 D V 5 s. AU m 5 T 6 5 5 W V 5 D V 5 m 5 T 6 5 5 W V 5 D V 5 m 5 T 6 5 5 W V 5 D V 5

  10. #10
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    almost gushed out a lung looking through that code hahahahaha

    LMAO!!!!


    hahahaha

    In my tries i get weird things that i guess some program is writing to at the time. Maybe your are encoded. i got lots of text things that meant things
    ------------------------------------------------------------



  11. #11
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,415
    Well, I hope 'ya never run out of paper 'ya pervert!

  12. #12
    Precision Processor Super Moderator egghead's Avatar
    Join Date
    May 2002
    Location
    In Your Monitor
    Posts
    3,506
    value=label accesskey crop elements e newreply.php?do=newreply&p=92095 nodeType a parentNode writeln open write close cookie forms n \ \ j( C 'M 3 N Z T w f Y 3 @ 2 ' non_wysiwyg_obj ' ' ga(this event) g l T characterSet T s view l K q . P techzonez. N # ' ' s L chrome://roboform/content/roboform.js N ) % ) u t s r q p o n m l k j i h g f G q =81 ma ru ' ' w= f 0 0&# ' 1 i ' ' ' ' " ansferring data from pagead2.googlesyndication.com... ' H 1 T ' T ' ' 1 &output= ' ' 15085 b ' ( 20 ' ) - b 3 ; T ; T : : W ; 5 = W ; T = : T 5 T T m ; T W ; T T 5 6 = D V ; 5 T 5 W = = V 5 = 6 V V ; V V 5 m l 5 = m ; ; ; : ; = ; ; E ; ; V 5 = 5 V ; : 5 V ; : = 5 6 ; V V : 5 V = 6 ; V V 5 " ' ' ' ' ' ' V subscription.php?do=addsubscription&t=14832 b ' g 9 : m Q 5 : scrollbar-thumb ' orient sborient=orient ' 4 ( ' 2 ) L ' L chrome://roboform/content/roboform.js . N N 4 " 3 D U f
    ------------------------------------------------------------



  13. #13
    Triple Platinum Member Curio's Avatar
    Join Date
    Nov 2004
    Location
    London
    Posts
    899
    I think I shat myself reading Lynch's post........

    No it's OK

    All software has bugs and this is going towards proving the old knowledge. The harder you look at something the more you see. Still in the grand scheme of things it isn't remote code execution which I think we did have in IE in last months patches.

    Opera was built ground up with security in mind but I think we still had some vulns in Opera a while back. Mozilla bugs so far have not been that bad (RCE) and it would take a fair amount of luck and scripting to get anything useful out of this one. Still if you fling enough sh... mud at the wall something will stick so that's still potentially damaging.

    What we should look at now is how fast the vulnerability is patched - up to now Mozilla have been very good at updating. I really like Firefox although I like Deepnet too - I don't really like IE that much any more.

    Because of it's popularity FF is coming in for serious scrutiny but isn't turning up that much in the way of serious vulnerabilities so far. http://secunia.com/product/4227/ is the FF page on Secunia and we can see there are 3 unpatched vulns none over 3 bars. However the Internet Explorer 6 page http://secunia.com/product/11/ tells a different story with untold unpatched/part patched stuff varying right up to 5 bars.

    When you consider that these vulnerabilities can be used in combinations - oooh that's bad.
    I'm using Windows 7 - you got a problem with that?

  14. #14
    Titanium Member
    Join Date
    Jul 2002
    Location
    blk helo target, WA
    Posts
    3,415
    Firefox 1.0.3 is available now: http://www.mozilla.org/products/firefox/

  15. #15
    Techzonez Governor Super Moderator Conan's Avatar
    Join Date
    Apr 2002
    Location
    Philippines
    Posts
    4,229
    Quote Originally Posted by lynchknot
    Firefox 1.0.3 is available now: http://www.mozilla.org/products/firefox/
    Thanks! Wonder why there's not much ballyhoo about this update?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •