Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)

2007.02.28

Credit: Michal Zalewski

Risk: High

Local: No

Remote: Yes

CVE: CVE-2007-1094 | CVE-2007-1092

CWE: N/A

While researching my previous report on MSIE7 browser entrapment, I
noticed that Firefox is susceptible to a pretty nasty, and apparently
easily exploitable memory corruption vulnerability. When a location
transition occurs and the structure of a document is modified from within
onUnload event handler, freed memory structures are left in inconsistent
state, possibly leading to a remote compromise.

A quick test case that crashes while trying to follow partly
user-dependent corrupted pointers near valid memory regions (can be forced
to write, too):

http://lcamtuf.coredump.cx/ietrap/testme.html

This also crashes MSIE7 with a seemingly harmless NULL pointer bug (didn't
research it - do your homework).

Firefox problem is being tracked here:
https://bugzilla.mozilla.org/show_bug.cgi?id=371321

/mz

See this note in RAW Version

Vote for this issue:

50%

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Firefox onUnload + document.write() memory corruption vulnerability (MSIE7 null ptr)

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.