Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

XPCOM - Race Condition

🗓️ 21 Jul 2015 00:00:00Reported by GulfTech SecurityType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 47 Views

XPCOM framework vulnerability in Mozilla browsers allows for a race condition causing hard browser crashes when viewing malformed HTML document

Related
Code
ReporterTitlePublishedViews
Family
CVE		CVE-2005-2414
3 Aug 200504:00
cve
Cvelist		CVE-2005-2414
3 Aug 200504:00
cvelist
Debian CVE		CVE-2005-2414
3 Aug 200504:00
debiancve
EUVD		EUVD-2005-2415
7 Oct 202500:30
euvd
exploitpack		XPCOM - Race Condition
21 Jul 201500:00
exploitpack
NVD		CVE-2005-2414
3 Aug 200504:00
nvd
UbuntuCve		CVE-2005-2414
3 Aug 200504:00
ubuntucve
XPCOM Race Condition

Vendor: Mozilla
Product: XPCOM
Version: 
Website: http://www.mozilla.org/projects/xpcom/

CVE: CVE-2005-2414 
OSVDB: 18226 
PACKETSTORM: 38837 

Description:
xpcom, or cross platform component object model is a framework for writing cross-platform, modular software. The xpcom library is used in many applications including a majority of the popular browsers such as FireFox, NetScape, Mozilla, Galeon, etc. It seems that there is a race condition of sorts in xpcom that makes it possible for an attacker to crash a victims browser by having them view a malformed html document. This issue is not believed to be exploitable by the Mozilla dev team, and will likely be addressed in full at a later date by the development team. 


XPCOM Race Condition:
It is possible for an attacker to create a race condition that will cause an access violation and result in a hard crash of the browser. One way to trigger this issue is by taking a decent sized html file and loading a dom call within some nested divs that will cause part of the page currently being rendered to be deleted. If the page has not loaded by the time the dom call is made then we can delete objects that have yet to be referenced, which will result in a crash as soon as the browser tries to reference the deleted object. 

http://www.gulftech.org/wrecko.html 

The above link is a simple proof of concept I wrote a few months ago to show the developers how the issue could be used to cause a crash of the affected web browser. Due to time constraints I have not got to look into this issue very in depth, but it may be possible to use the race condition described here in combination with other dom calls or javascript to produce different results than those demonstrated in my proof of concept. 


Solution:
Mozilla have been aware of this issue for some months, and have fixed the issue on trunk, but not on branch. The reason for this as stated by one of the developers is "fixes for this stuff could easily cause regressions". I did test this issue on the latest copy of the mozilla browser (Deer Park) this morning though, and it seemed to NOT be vulnerable. However, firefox and the like are still affected. 


Credits:
James Bercegay of the GulfTech Security Research Team

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Jul 2015 00:00Current
6.6Medium risk
Vulners AI Score6.6
CVSS 22.6
EPSS0.05003
xpcommozillavulnerabilityrace conditionbrowser crasheshtml documents
47