Re: Advice On FireFox Bug

From: Michal Zalewski (lcamtuf_at_dione.ids.pl)
Date: 08/01/05

  • Next message: nicolas.falliere_at_gmail.com: "Exploiting heap overflows on XP SP2"
    Date: Mon, 1 Aug 2005 19:59:42 +0200 (CEST)
    To: John Cobb <johnc@nobytes.com>
    
    

    On Sat, 30 Jul 2005, John Cobb wrote:

    > After a bit of playing I found a bug with the latest version of FireFox
    > which seems to work on Win2K & WinXP /.../ but since im not a
    > coder/reverse enigneerer it's a bit difficult to understand what's
    > causing the problem.

    John,

    If you manually created a malicious input file, you should be well aware
    what causes the crash; I take it you took an approach more similar to my
    'mangleme' experiment (see BUGTRAQ archives) - if so, you'd have a file
    with plenty of broken HTML tags, and would be tasked with finding which
    one, exactly, causes the problem.

    You're probably looking the wrong way - many problems occur after initial
    parsing and splitting of tags, and so, a step-by-step HTML parser
    debugging is probably not going to help a whole lot.

    Chances are the problem is caused by a single tag. The easiest way to find
    it is to split the file in two parts - and see which one, if any, crashes
    the browser. If you get a crash, continue this procedure - in just a
    couple of steps, you should go down to a file that can be easily examined
    manually.

    If, at some point, you end up with two halves, neither of them causing a
    crash, try uneven ratios, or remove a portion from the middle of the file,
    leaving a block at the beginning and near the end intact. Also pay
    attention to the balance of '>' and '"'.

    Also, don't be afraid to read the debugger output on crash, even if you do
    not know the product and are not too comfortable with assembly - crash
    location, along with stack backtrace and register contents, should give
    you some hints as to where the crash occured, and what data ended up where
    it does not belong.

    > (This bug is 0day. If you work for a nice rich security company and want
    > to purchase this of me, email me: johnc@nobytes.com :) )

    Oh, that's not nice.

    /mz
    http://lcamtuf.coredump.cx/silence/


  • Next message: nicolas.falliere_at_gmail.com: "Exploiting heap overflows on XP SP2"

    Relevant Pages

    • Assembly Variables to C
      ... I am trying to catch exceptions that are causing me to crash. ... In the Startup.s assembly module, I have tags for: ...
      (comp.arch.embedded)
    • In the Land of the Blind, the Hoff is truly King!
      ... observed to crash the system from User Mode code. ... that compiler initialized memory is causing the problem ... 05 pic s9comp value 29779. ... If it is a bug then it's just that; ...
      (comp.os.vms)
    • Re: Unusual careless driving sentence
      ... "A woman involved in a crash in which two toddlers in pushchairs were killed has ... been cleared of causing their deaths by careless driving. ... She was handed an 18-month driving ban. ...
      (uk.legal)
    • Re: Entourage 2008 Continuously Crashing
      ... Something in your account is causing the crash on PPC only. ... Regardless, this is still a PPC bug with Entourage 2008 since this problem doesn't occure in Entourage 2008 on Intel, Entourage 2004 on PPC, Outlook 2003, or Outlook 2007. ... I would rather not contact Microsoft support directly since I would then be required to spend a ridiculous amount of time on the phone just trying to get to an upper level engineer. ...
      (microsoft.public.mac.office.entourage)
    • Re: Entourage 2008 Continuously Crashing
      ... Something in your account is causing the crash on PPC only. ... Regardless, this is still a PPC bug with Entourage 2008 since this problem doesn't occure in Entourage 2008 on Intel, Entourage 2004 on PPC, Outlook 2003, or Outlook 2007. ... I was finally able to clear this problem up by moving my 5000 messages out of my inbox and into a sub-folder that I called Inbox 2008 that I'm now going to use for archiving messages on a daily basis. ...
      (microsoft.public.mac.office.entourage)