[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Full-Disclosure] Firefox 0.92 DoS via TinyBMP

To: full-disclosure@xxxxxxxxxxxxxxxx
Subject: RE: [Full-Disclosure] Firefox 0.92 DoS via TinyBMP
From: jhaunsystem <jhaunsystem@xxxxxxxxx>
Date: Mon, 12 Jul 2004 22:09:21 -0700 (PDT)

 I tested it out on 2 platforms.  On Mozilla 1.7 &&
win2k I get the same results as your description. 
However on Freebsd_4.10 && Mozilla 1.7, Mozilla just
crashes with little or no tax on the system.


> -----Original Message-----
> From: full-disclosure-admin@xxxxxxxxxxxxxxxx
> [mailto:full-disclosure-admin@xxxxxxxxxxxxxxxx] On
> Behalf Of st3ng4h
> Sent: Tuesday, July 13, 2004 2:23 AM
> To: Ali Campbell
> Cc: full-disclosure@xxxxxxxxxxxxxxxx;
> the_invincible@xxxxxx
> Subject: Re: [Full-Disclosure] Firefox 0.92 DoS via
> TinyBMP
> 
> On Mon, Jul 12, 2004 at 10:12:40PM +0100, Ali
> Campbell wrote:
> > I agree when you say that it's probably a flaw in
> the BMP lib 
> > implementation. But as I've pointed out once
> already, Windows isn't 
> > the only afflicted platform:
> [snip]
> 
> You're correct, and I'm glad you did point this out,
> because it may
> potentially affect many such implementations.
> 
> The April bugtraq advisory that I provided URL for
> earlier (and again [1])
> says:
> 
> "When a BMP file loaded into the Internet Explorer
> (for exmaple 'IMG' tag)
> the internet explorer check the BMP image size
> written in BMP file, and then
> allocate the necessary memory to itself for placing
> bmp image into the
> memory."
> 
> Also see MSDN's explanation of bitmap file structure
> [2] for more details.
> 
> AFAICT, any program/library that allocates bfSize
> (in
> BITMAPFILEHEADER) bytes of memory, without verifying
> that this resembles the
> actual size of the bitmap file, will likely suffer
> from this problem in some
> form or another. 
> 
> Why this was not figured out in the original
> advisory or this one is beyond
> me; I have approximately zero experience as a
> bug-hunter and am mostly
> ignorant to Windows internals.
> 
> What's more annoying is that the OP apparently just
> ripped off the PoC from
> the original (incorrect) IE advisory, did not credit
> the finder, and
> published it as a Firefox vulnerability.
> 
> st3ng4h
> 
> [1] http://www.securityfocus.com/archive/1/360166
> 
> [2]
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gdi/bitmaps
> _62uq.asp
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.netsys.com/full-disclosure-charter.html
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.netsys.com/full-disclosure-charter.html
> 



                
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

References:
- RE: [Full-Disclosure] Firefox 0.92 DoS via TinyBMP
  - From: Sapheriel

Prev by Date: RE: [Full-Disclosure] Erasing a hard disk easily
Next by Date: Re: AW: [Full-Disclosure] Firefox 0.92 DoS via TinyBMP
Previous by thread: RE: [Full-Disclosure] Firefox 0.92 DoS via TinyBMP
Next by thread: RE: [Full-Disclosure] Firefox 0.92 DoS via TinyBMP
Index(es):
- Date
- Thread