Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

RE: Firefox 0.92 DoS via TinyBMP
From: jhaunsystem <jhaunsystem () yahoo com>
Date: Mon, 12 Jul 2004 22:09:21 -0700 (PDT)

 I tested it out on 2 platforms.  On Mozilla 1.7 &&
win2k I get the same results as your description. 
However on Freebsd_4.10 && Mozilla 1.7, Mozilla just
crashes with little or no tax on the system.


-----Original Message-----
From: full-disclosure-admin () lists netsys com
[mailto:full-disclosure-admin () lists netsys com] On
Behalf Of st3ng4h
Sent: Tuesday, July 13, 2004 2:23 AM
To: Ali Campbell
Cc: full-disclosure () lists netsys com;
the_invincible () gmx de
Subject: Re: [Full-disclosure] Firefox 0.92 DoS via
TinyBMP

On Mon, Jul 12, 2004 at 10:12:40PM +0100, Ali
Campbell wrote:
I agree when you say that it's probably a flaw in
the BMP lib 
implementation. But as I've pointed out once
already, Windows isn't 
the only afflicted platform:
[snip]

You're correct, and I'm glad you did point this out,
because it may
potentially affect many such implementations.

The April bugtraq advisory that I provided URL for
earlier (and again [1])
says:

"When a BMP file loaded into the Internet Explorer
(for exmaple 'IMG' tag)
the internet explorer check the BMP image size
written in BMP file, and then
allocate the necessary memory to itself for placing
bmp image into the
memory."

Also see MSDN's explanation of bitmap file structure
[2] for more details.

AFAICT, any program/library that allocates bfSize
(in
BITMAPFILEHEADER) bytes of memory, without verifying
that this resembles the
actual size of the bitmap file, will likely suffer
from this problem in some
form or another. 

Why this was not figured out in the original
advisory or this one is beyond
me; I have approximately zero experience as a
bug-hunter and am mostly
ignorant to Windows internals.

What's more annoying is that the OP apparently just
ripped off the PoC from
the original (incorrect) IE advisory, did not credit
the finder, and
published it as a Firefox vulnerability.

st3ng4h

[1] http://www.securityfocus.com/archive/1/360166

[2]

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gdi/bitmaps
_62uq.asp

_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter:
http://lists.netsys.com/full-disclosure-charter.html




                
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]