Thread-topic: Real info about vulnerabilities in FireFox
> Subject: Dailydave Digest, Vol 15, Issue 3
> ------------------------------
>
> Message: 3
> Date: Tue, 3 Oct 2006 12:48:10 -0500
> From: H D Moore <hdm-daily-dave@xxxxxxxxxxxxxxxxxx>
> Subject: Re: [Dailydave] Firefox bugs
> To: dailydave@xxxxxxxxxxxxxxxxxxxxx
> Message-ID: <200610031248.10788.hdm-daily-dave@xxxxxxxxxxxxxxxxxx>
> Content-Type: text/plain; charset="iso-8859-1"
>
> On Tuesday 03 October 2006 12:21, Dave Aitel wrote:
> > Right, where one of the dude's claim it's all a joke and that his
> > blackhat friend weev hasn't shown him the bug. Seemed like blatant
> > lieing because his company pressured him. A weblog company can't be
> > known to have remote 0day on browsers...no one would ever
> visit their
> > web page again...
>
> If anyone wants the full (reported) bug list, grab this hack:
>
>
>
> $ ./mozdig.rb
> [..snip..]
> Bug #351370 by jst@xxxxxxxxxxxxxxxxxxxxx at
>
space_mode=show&subdir=mozilla/js/src/xpconnect/src&command=DIFF_FRAMESE
T&file=xpccomponents.cpp&rev1=1.99&rev2=1.100&root=/cvsroot
> Bug #348798 by mattwillis@xxxxxxxxx at
>
space_mode=show&subdir=mozilla/calendar/base/src&command=DIFF_FRAMESET&f
ile=calUtils.js&rev1=1.4&rev2=1.5&root=/cvsroot
> Bug #353165 by igor.bukanov@xxxxxxxxx at
>
space_mode=show&subdir=mozilla/js/src&command=DIFF_FRAMESET&file=jsxml.c
&rev1=3.125&rev2=3.126&root=/cvsroot
> Bug #352064 by pedemont@xxxxxxxxxx at
>
space_mode=show&subdir=mozilla/js/src/liveconnect&command=DIFF_FRAMESET&
file=jsj_JavaObject.c&rev1=1.40&rev2=1.41&root=/cvsroot
> Bug #352846 by igor.bukanov@xxxxxxxxx at
>
space_mode=show&subdir=mozilla/js/src&command=DIFF_FRAMESET&file=jsarray
.c&rev1=3.96&rev2=3.97&root=/cvsroot
> Bug #353117 by mozilla.mano@xxxxxxxx at
>
space_mode=show&subdir=mozilla/browser/components/feeds/src&command=DIFF
_FRAMESET&file=FeedWriter.js&rev1=1.18&rev2=1.19&root=/cvsroot
> Bug #348836 by brendan@xxxxxxxxxxx at
>
space_mode=show&subdir=mozilla/js/src&command=DIFF_FRAMESET&file=jsscan.
c&rev1=3.111&rev2=3.112&root=/cvsroot
> Bug #352624 by brendan@xxxxxxxxxxx at
>
space_mode=show&subdir=mozilla/js/src&command=DIFF_FRAMESET&file=jsinter
p.c&rev1=3.288&rev2=3.289&root=/cvsroot
> Bug #352878 by wclouser@xxxxxxxxxxx at
>
space_mode=show&subdir=mozilla/webtools/firefox_survey/views/users&comma
nd=DIFF_FRAMESET&file=add.thtml&rev1=1.14&rev2=1.15> &root=/cvsroot
> Bug #352124 by gavin@xxxxxxxxxxxxxx at
>
space_mode=show&subdir=mozilla/js/src/xpconnect/src&command=DIFF_FRAMESE
T&file=XPCNativeWrapper.cpp&rev1=1.45&rev2=1.46&root=/cvsroot
> Bug #352124 by jst@xxxxxxxxxxxxxxxxxxxxx at
>
space_mode=show&subdir=mozilla/js/src/xpconnect/src&command=DIFF_FRAMESE
T&file=xpcconvert.cpp&rev1=1.105&rev2=1.106&root=/cvsroot
> Bug #352124 by mozilla.mano@xxxxxxxx at
>
space_mode=show&subdir=mozilla/browser/components/feeds/src&command=DIFF
_FRAMESET&file=FeedWriter.js&rev1=1.15&rev2=1.16&root=/cvsroot
> Bug #352606 by brendan@xxxxxxxxxxx at
>
space_mode=show&subdir=mozilla/js/src&command=DIFF_FRAMESET&file=jsinter
p.c&rev1=3.287&rev2=3.288&root=/cvsroot
> Bug #347008 by bugzilla@xxxxxxxxxxxxxxxxxxxxx at
>
space_mode=show&subdir=mozilla/mailnews/addrbook/src&command=DIFF_FRAMES
ET&file=nsAddrDatabase.cpp&rev1=1.145&rev2=1.146&root=/cvsroot
> Bug #348304 by Olli.Pettay@xxxxxxxxxxx at
>
space_mode=show&subdir=mozilla/layout/xul/base/src&command=DIFF_FRAMESET
&file=nsMenuFrame.cpp&rev1=1.332&rev2=1.333&root=/cvsroot
> Bug #307809 by dbaron@xxxxxxxxxx at
>
space_mode=show&subdir=mozilla/layout/xul/base/src/grid&command=DIFF_FRA
MESET&file=nsGridRowLayout.cpp&rev1=1.11&rev2=1.12> &root=/cvsroot
> Bug #352264 by dbaron@xxxxxxxxxx at
>
space_mode=show&subdir=mozilla/xpfe/bootstrap&command=DIFF_FRAMESET&file
=nsNativeAppSupportWin.cpp&rev1=1.133&rev2=1.134&root=/cvsroot
> Bug #351848 by wtchang@xxxxxxxxxx at
>
space_mode=show&subdir=mozilla/security/nss/lib/cryptohi&command=DIFF_FR
AMESET&file=secvfy.c&rev1=1.19&rev2=1.20&root=/cvsroot
> Bug #348304 by Olli.Pettay@xxxxxxxxxxx at
>
space_mode=show&subdir=mozilla/layout/xul/base/src&command=DIFF_FRAMESET
&file=nsMenuFrame.cpp&rev1=1.331&rev2=1.332&root=/cvsroot
> Bug #352271 by mrbkap@xxxxxxxxx at
>
space_mode=show&subdir=mozilla/js/src&command=DIFF_FRAMESET&file=jsparse
.c&rev1=3.241&rev2=3.242&root=/cvsroot
> Bug #352094 by mrbkap@xxxxxxxxx at
>
space_mode=show&subdir=mozilla/js/src&command=DIFF_FRAMESET&file=jsinter
p.c&rev1=3.284&rev2=3.285&root=/cvsroot
> Bug #351296 by vladimir@xxxxxxxxx at
>
space_mode=show&subdir=mozilla/content/canvas/src&command=DIFF_FRAMESET&
file=nsCanvasRenderingContext2D.cpp&rev1=1.66&rev2=1.67> &root=/cvsroot
> Bug #351328 by bmlk@xxxxxx at
>
space_mode=show&subdir=mozilla/layout/tables&command=DIFF_FRAMESET&file=
nsCellMap.cpp&rev1=3.107&rev2=3.108&root=/cvsroot
> Bug #337744 by benjamin@xxxxxxxxxxxx at
>
space_mode=show&subdir=mozilla/netwerk/protocol/res/src&command=DIFF_FRA
MESET&file=nsResProtocolHandler.cpp&rev1=1.66&rev2=1.67> &root=/cvsroot
> Bug #351973 by igor.bukanov@xxxxxxxxx at
>
space_mode=show&subdir=mozilla/js/src&command=DIFF_FRAMESET&file=jsobj.c
&rev1=3.285&rev2=3.286&root=/cvsroot
> Bug #351470 by alexei.volkov.bugs@xxxxxxx at
>
space_mode=show&subdir=mozilla/nsprpub/pr/src/io&command=DIFF_FRAMESET&f
ile=prfdcach.c&rev1=3.12&rev2=3.13&root=/cvsroot
> Bug #351470 by alexei.volkov.bugs@xxxxxxx at
>
space_mode=show&subdir=mozilla/nsprpub/pr/src/io&command=DIFF_FRAMESET&f
ile=prlog.c&rev1=3.34&rev2=3.35&root=/cvsroot
> Bug #351470 by alexei.volkov.bugs@xxxxxxx at
>
space_mode=show&subdir=mozilla/nsprpub/pr/src/misc&command=DIFF_FRAMESET
&file=prtrace.c&rev1=3.8&rev2=3.9&root=/cvsroot
> Bug #348304 by Olli.Pettay@xxxxxxxxxxx at
>
space_mode=show&subdir=mozilla/layout/xul/base/src&command=DIFF_FRAMESET
&file=nsMenuFrame.cpp&rev1=1.330&rev2=1.331&root=/cvsroot
> Bug #348304 by Olli.Pettay@xxxxxxxxxxx at
>
space_mode=show&subdir=mozilla/layout/xul/base/src&command=DIFF_FRAMESET
&file=nsMenuFrame.cpp&rev1=1.329&rev2=1.330&root=/cvsroot
> Bug #350238 by brendan@xxxxxxxxxxx at
>
space_mode=show&subdir=mozilla/js/src&command=DIFF_FRAMESET&file=jsemit.
c&rev1=3.196&rev2=3.197&root=/cvsroot
> Bug #332386 by pavlov@xxxxxxxxxx at
>
space_mode=show&subdir=mozilla/modules/libpr0n/decoders/bmp&command=DIFF
_FRAMESET&file=nsBMPDecoder.cpp&rev1=1.30&rev2=1.31> &root=/cvsroot
> Bug #351079 by nelson@xxxxxxxxxxx at
>
space_mode=show&subdir=mozilla/security/nss/lib/cryptohi&command=DIFF_FR
AMESET&file=secvfy.c&rev1=1.18&rev2=1.19&root=/cvsroot
> Bug #348304 by Olli.Pettay@xxxxxxxxxxx at
>
space_mode=show&subdir=mozilla/layout/xul/base/src/tree/src&command=DIFF
_FRAMESET&file=nsTreeBodyFrame.cpp&rev1=1.287&rev2=1.288> &root=/cvsroot
>
> There are enough unpatched (as in releases) bugs viewable in
> CVS to make the threat of new flaws somewhat redundant :-)
>
> -HD
>
>
> ------------------------------
>
> Message: 4
> Date: Tue, 03 Oct 2006 19:46:56 +0200
> From: Thor Larholm <thor@xxxxxxxxxxxx>
> Subject: Re: [Dailydave] Firefox bugs
> To: Dave Aitel <dave@xxxxxxxxxxxxxxx>
> Cc: dailydave@xxxxxxxxxxxxxxxxxxxxx
> Message-ID: <4522A210.6070906@xxxxxxxxxxxx>
> Content-Type: text/plain; charset="iso-8859-1"
>
> The PoC from the slide and the full PoC is attached to
> .
>
> Spiegelmock and Wbeelsoi talked about threads and lack of
> mutexes, but
> as Brendan points out this is cargo-cult knowledge about JS. There's
> definitely the potential for vulnerabilities in the Mozilla
> JS engine,
> mainly because it violates run-to-completion. This has the
> potential to
> screw with op-codes in the VM when reentrant timers do not
> defer when a
> modal dialog is running.
>
> I originally posted about the presentation at
> where I
> highlighted
> the last few security-related changes (including one in native
> iterators), but these were only related by extension since reentrant
> exploits can circument the context checks. Chrome: is not
> buggy per se,
> it's just inherently prone to context switches since there's only one
> running instance of each parser (html, js, etc) in the same
> process for
> both secure and insecure content.
>
> Spiegelmock is definitely backpedalling with his updated
> statement, but
> then again, it's hard to tell from the video presentation how much is
> truth and how much is fiction (should I upload it
> somewhere?). They're
> both hanging out on irc.bantown.com/#bantown (immunitysec.hub).
>
> Thor
>
>
> Dave Aitel wrote:
>
> >-----BEGIN PGP SIGNED MESSAGE-----
> >Hash: SHA1
> >
> >Didn't you post on your weblog some stuff about Chrome: being buggy?
> >It's completely believable to have a chrome: context issue
> in Firefox.
> >I recall you said something about iterators, but I don't have a
> >Mozilla developer account so I can't look at the diff.
> >
> >Are the slides/full PoC available publicly?
> >- -dave
> >
> >Thor Larholm wrote:
> >
> >
> >>Their PoC, both the one in their slides and the full PoC, is
> >>nothing more than an out-of-memory crash, of which Firefox already
> >>has plenty. They were still struggling to write a working exploit
> >>days after the presentation, even though they claimed to have just
> >>that during the presentation.
> >>
> >>Long story short, the bug is just a bug - not a vulnerability.
> >>
> >>
> >>Regards Thor Larholm
> >>
> >>
> >>Dave Aitel wrote:
> >>
> >>For those of you under a rock, there's a new firefox bug:
> >>
> >>
> >>I read somewhere that the PoC was posted to the web, but I can't
> >>find it anywhere.
> >>
> >>For those of you who watched the HP testemony on cspan.org, you may
> >> have noticed that ReadNotify was used in a prior DD posting. DD
> >>goes out to maybe 2500 people last time I checked...and I got under
> >>a hundred readnotify responses. This corresponds with my last use
> >>of web bugs against someone trying to blackmail one of my clients.
> >>It just didn't work. This was the one big tool in the FBI/NYPD's
> >>toolbox, and it's been broken during the fight against spammers. We
> >>had to do a statistical analysis of all the web page accesses to
> >>get close.
> >>
> >>Anyways, our congresscritters think that SPYWARE==WEB BUG. And it's
> >> not true. Someone needs to call them and explain it slowly.
> >>
> >>-dave
> >>
> >>
> >_______________________________________________
> >Dailydave mailing list
> >Dailydave@xxxxxxxxxxxxxxxxxxxxx
> >
> >
> >
> ------------------------------
>
> Message: 6
> Date: Tue, 3 Oct 2006 11:25:53 -0700 (PDT)
> From: Matt <matt@xxxxxxx>
> Subject: Re: [Dailydave] Firefox bugs
> To: Thor Larholm <thor@xxxxxxxxxxxx>
> Cc: Dave Aitel <dave@xxxxxxxxxxxxxxx>, dailydave@xxxxxxxxxxxxxxxxxxxxx
> Message-ID: <Pine.NEB.4.58.0610031122470.867@xxxxxxxxxxxxxxxx>
> Content-Type: TEXT/PLAIN; charset=US-ASCII
>
> On Tue, 3 Oct 2006, Thor Larholm wrote:
>
> > Their PoC, both the one in their slides and the full PoC, is nothing
> > more than an out-of-memory crash, of which Firefox already
> has plenty.
> > They were still struggling to write a working exploit days after the
> > presentation, even though they claimed to have just that during the
> > presentation.
> >
> > Long story short, the bug is just a bug - not a vulnerability.
>
> Just use valgrind on FireFox (compiled with symbols) and load
> up something
> like maps.google.com. Then have a blast looking through the code and
> finding all kinds of little OB1 and OBAF issues. I tried
> working with them
> via their IRC channel to get some of these things fixed in
> 1.5, but they were
> not cooperative or accepting of patches.
>
> After that experience, I gave up and now use Konqueror, whose
> developers
> I have found to be more receptive to in-depth debugging
> information and
> acting upon it in a timely fashion. This is highly
> subjective, of course.
>
>
>
> --
> tangled strands of DNA explain the way that I behave.
>
>
>
> ------------------------------
>
> _______________________________________________
> Dailydave mailing list
> Dailydave@xxxxxxxxxxxxxxxxxxxxx
>
>
>
> End of Dailydave Digest, Vol 15, Issue 3
> ****************************************
>
