Mozilla firefox focus and Nightly for Android remote crash DoS

Wednesday, October 12, 2022

########################

Mozilla Firefox, Focus and Nightly

For Android Remote Crash Dos 

Vulnerability.

Last update: 25/11/2022

########################


################

Description 

################

A vulnerability is present in the way that Mozilla  for Android mobile products manage the clipboard and handle excepcions. 

A evil site can take profit from software excepcions to do a crash in the app or to deny access to clipboard and cause a crash resulting in lost of available information that not save. 

If we close the app and clear cache etc, we have the same situation a crash or a Dos that Tdo a crash. :)

The vulnerability interact with parts of Android system like open links in app, and sharing functions. 

It's a of different error messages that the app can't handle or programmer store remote data in parcels, or how store data in clipboard and how process it. 

Multiple app are vulnerable to this style attack resulting in a lost of data, DoS to application, crash aplicattion or DoS to functions or application or dead browser treat activity and force user to close App. 

We can abuse parcels errors in

TransactionTooLargeException

DeadSystemException

Wen can abuse open in app or sharing functions or clipboard functions in


TransactionTooLargeException

DeadSystemException

ClipboardManager

content.ClipboardManager.getPrimaryClip


################

Versions afected:

################

Mozilla firefox 

107.1.0 Build #2015915067

106.1.0 built 2015907747

105.2.0 built 2015907747


Mozilla Nightly 

107.0a1 

built 2015909163 

built 2015909131

built 2015915115

108.0a1 

built 2015912339 

built 2015913675

109.0a1 

Build 2015916075

Build 2015917035

Build 2015917803


Mozilla Focus 

105.0.2 

built  362762015

107.1.0

Built 363142253

#########################

Related bugs in other apps

https://bugs.chromium.org/p/chromium/issues/detail?id=1385502


Mozilla issue tracker 

https://github.com/mozilla-mobile/focus-android/issues/8056

Posible related bug

https://github.com/mozilla-mobile/android-components/issues/12804

Tested on

Android 9, 10, 11, 12 and continue testing


################

Timelime

################

Discovered 28-08-2022

Vendor notify NO

Released 12-10-2022

Last update 25-11-2022

###############

No more details at this time. 

Exploit available in private. 

I update this advisore in few days with more information. 


################ €nd ####################

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente.... 

Safari for windows 5.1.7 (7534.57.2) Remote code execution

Saturday, December 14, 2013
############################################
Safari for windows 5.1.7 (7534.57.2) Remote code execution
JavaScriptCore.dll (7534.57.3.3)
Vendor notify: NO Exploit available: Private
Advisore:http://lostmon.blogspot.com.es/2013/12/safari-for-windows-517-7534572-remote.html
 #############################################

Safari for windows is a discontinued product; but in my work ) tecnical support for clients and bussines) i found it installed in serveral machines.

Iit is prone vulnerable to a buffer overflow in  JavaScriptCore.dll that allows remote crash if failed or Remote Code Execution if the exploit is succesfully.

This issue is tiggered when safari try to allocate a large amount of data in  javascript stack memory.
We espect a " out of memory" alert box, but we can bypass or fuzzing this alert and result a RCE.

 i don't like the responses from Apple amd this is a discontinued product.... See Windbg Log for this issue:

(1240.1334): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=00000000 ecx=77d25085 edx=00000000 esi=1d7c0000 edi=7ff90240
eip=61b39357 esp=0023f01c ebp=00000001 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Safari\Apple Application Support\JavaScriptCore.dll - 
JavaScriptCore!WTF::fastMalloc+0x157:
61b39357 c705efbeadbb00000000 mov dword ptr ds:[0BBADBEEFh],0 ds:0023:bbadbeef=????????
0:000> !load msec.dll
0:000> !exploitable -m
VERSION:1.6.0.0
IDENTITY:HostMachine\HostUser
PROCESSOR:X86
CLASS:USER
QUALIFIER:USER_PROCESS
EVENT:DEBUG_EVENT_EXCEPTION
EXCEPTION_FAULTING_ADDRESS:0xffffffffbbadbeef
EXCEPTION_CODE:0xC0000005
EXCEPTION_LEVEL:SECOND_CHANCE
EXCEPTION_TYPE:STATUS_ACCESS_VIOLATION
EXCEPTION_SUBTYPE:WRITE
FAULTING_INSTRUCTION:61b39357 mov dword ptr ds:[0bbadbeefh],0
MAJOR_HASH:0x7fdedd27
MINOR_HASH:0x39b7b969
STACK_DEPTH:6
STACK_FRAME:JavaScriptCore!WTF::fastMalloc+0x157
STACK_FRAME:WebKit!WKDictionaryGetTypeID+0xb112
STACK_FRAME:WebKit!WKCredentialGetTypeID+0x1f776
STACK_FRAME:WebKit!WKCredentialGetTypeID+0x489f2
STACK_FRAME:WebKit!WKCredentialGetTypeID+0x4337e
STACK_FRAME:JavaScriptCore!JSC::JSArray::getOwnPropertySlotByIndex+0x2a44
INSTRUCTION_ADDRESS:0x0000000061b39357
INVOKING_STACK_FRAME:0
DESCRIPTION:User Mode Write AV
SHORT_DESCRIPTION:WriteAV
CLASSIFICATION:EXPLOITABLE
BUG_TITLE:Exploitable - User Mode Write AV starting at JavaScriptCore!WTF::fastMalloc+0x0000000000000157 (Hash=0x7fdedd27.0x39b7b969)
EXPLANATION:User mode write access violations that are not near NULL are exploitable.0:000> !exploitable

!exploitable 1.6.0.0
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at JavaScriptCore!WTF::fastMalloc+0x0000000000000157 (Hash=0x7fdedd27.0x39b7b969)

User mode write access violations that are not near NULL are exploitable.
####################### €nd ##########################
--
 atentamente: Lostmon (lostmon@gmail.com)
 Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
-- La curiosidad es lo que hace mover la mente....

Opera browser Speed dial Extensions XSS and CSRF

Tuesday, August 27, 2013
########################################
Opera Browser Speed Dial Extensions XSS and XSRF
Original advisore: http://lostmon.blogspot.com.es/2013/08/opera-browser-speed-dial-extensions-xss.html
########################################

############
Description:
############

Speed Dial gives you quick access to your favorite Web sites. Every time you open a new tab, you are presented with a 3x3 grid of thumbnails, each representing a Web address. To open a page, click on the corresponding thumbnail, or use the keyboard shortcuts. http://help.opera.com/Mac/10.50/en/speeddial.html

#########
Abstract
#########

Developers Build Extensions for fast access to web services like
Gmail, Flirk or Facebook.

Speed dial "protect users" to direct XSS attacks, but the extensions used in Speed ??Dial, are not free of bugs and some of them are not safe. A remote attacker could compose special attacks, for abusing the  functionality of these extensions in Speed Dial.


####################
Extensions for Gmail
####################

This two extenions show latest unread Emails from Gmail and are prone vulnerables to XSS & CSRF style atacks.

######
XSS:
######

If a attacker write a Email and in subject insert a html code it is executed in the extension.


















######
XSRF:
######

If a attacker compose a Email with subject like
 "><iframe src="https://mail.google.com/mail/?logout&hl=es"<>/iframe>
when the extension refresh content, it cause victim logout function.


https://addons.opera.com/es/extensions/details/gmail-on-speed-dial-ex/
https://addons.opera.com/es/extensions/details/gmail-on-speed-dial/

##############################
Extensions for Google Calendar
##############################

This Two extensions Show reminders and events from Google Calendar
and are prone vulnerables to XSS & CSRF style attacks

######
XSS:
######

If a attacker write a event in a shared calendar and in subject insert a html code it is executed in the extension.



######
XSRF:
######

If a attacker a event in a shared calendar with subject like
 "><iframe src="https://www.google.com/calendar/logout"<>/iframe>
when the extension refresh content, it cause victim logout function.


https://addons.opera.com/es/extensions/details/google-calendar/
https://addons.opera.com/es/extensions/details/gcaltoday/

################
Related Links
################

http://lostmon.blogspot.com.es/2010/09/google-chrome-instaled-extensions.html
http://www.osvdb.org/search?search[vuln_title]=lostmon%20extension&search[text_type]=alltext
http://www.oxdef.info/posts/2011/01/18/chrome-ext/
http://www.pcmag.com/article2/0,2817,2359778,00.asp


############## End ########################

##################
Solution
###################

No solution was available at this time !!!

 ################ €nd ####################

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente.... 

Arora qrc: dialog XSS and DoS

Tuesday, July 31, 2012
########################################
Arora qrc: dialog XSS and DoS
Vendor URL:http://code.google.com/p/arora/
Advisore: http://lostmon.blogspot.com.es/2012/07/arora-qrc-dialog-xss-and-dos.html
Vendor notify:NO  exploit available:yes
#######################################

Arora is a lightweight cross-platform web browser. It's free (as in free speech and free beer).
Arora runs on Linux, embedded Linux, FreeBSD, Mac OS X, Windows, Haiku, and any other platforms
supported by the Qt toolkit.

Arora uses the QtWebKit port of the fully standards-compliant WebKit layout engine.
It features fast rendering, powerful JavaScript engine and supports Netscape plugins.

Arora contains a two flaws that allows a remote cross site scripting (XSS) attack and DoS.

This flaw exists because the application does not validate the qrc: Uri dialog and
internal error pages. This may allow a user to create a specially crafted Link/url that
would execute arbitrary script code in a user's browser within the trust relationship
between their browser and the qrc handler ( local ).

Also Arora has a second flaw that allow Denial of service or app to crash in a special link.


#################
Proof of Concept
#################

create a html doc and write this code, click in the link and it execute
the xss and if accept the alert box, the app crash :)
 <html><body>
<a href='qrc:/"><script>alert('Sorry, Now Your App Crash!');</script>'>Arora about: handler XSS</a>
</body></html>

################
Versions afected
################

Arora 0.10.0 Windows Qt 4.5.3

##################
Solution
###################

No solution was available at this time !!!

 ################ €nd ####################

--
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
 

Browse

About:Me

My blog:http://lostmon.blogspot.com
Mail:Lostmon@gmail.com
Lostmon Google group
Lostmon@googlegroups.com

La curiosidad es lo que hace
mover la mente...

Friends