c
  


  

  

   !"

Basically firefox logs all kind of URL data in it's history.dat file, this little script will set a really
large topic and Firefox will then save that topic into it's history.dat. The next time that Firefox is
opened, it will instantly crash due to a buffer overflow. This will happen everytime until you
manually delete the history.dat file which most users won't figure out.

This proof of concept will only prevent someone from reopening their browser after being
exploited. DoS if you will however, code execution is possible with some modifications.

Tested with Firefox 1.5 on Windows XP SP2.

function ex() {
var buffer = "";
for (var i = 0; i < 5000; i++) {
buffer += "A";
}
var buffer2 = buffer;
for (i = 0; i < 500; i++) {
buffer2 += buffer;
}
document.title = buffer2;
}

· #
"$%&
' %(

) of Telenor SOC reported an exploit targeting particular versions of Firefox 3.6
on Windows XP that Telenor found while investigating an intrusion attempt on a customer
network. The underlying vulnerability, however, was present on both the Firefox 3.5 and Firefox
3.6 development branches and affected all supported platforms.


  !"*+,-."/ 01· #

A heap buffer overflow vulnerability was discovered which is caused by an integer overflow in
nsGenericDOMDataNode::SetTextInternal().
Due to the amount of data needed to trigger the vulnerability (> 8 gigbytes), this is only
exploitable on 64-bit systems. This vulnerability was tested on Ubuntu AMD64 with the default
install of Firefox and a custom build of Firefox on the same system.
The vulnerable code is in nsGenericDOMDataNode::SetTextInternal()
 

With a very large aLength or textLength an attacker would be able to wrap the integer
newLength, resulting in an allocation of a too small buffer. When aLength is larger than zero the
memcpy() will overflow the buffer.
A proposed fix would be to use size_t or similar value types for all length values, as this will
ensure that the right value types are used for any length and size values. Furthermore the result of
calculations which may wrap should be checked. The following Proof-of-Concept code will
trigger the bug. Note that there will be multiple ways of triggering the issue:
POC Code:

Provided the test system has enough memory (>8 gigabyte) following crash will be triggered:


  /2"#
/2"#·. 2
 
A vulnerability has been reported in Internet Explorer, which can be exploited by malicious
people to compromise a user's system.

The vulnerability is caused due to a boundary error within the handling of certain attributes in the
<IFRAME> and <FRAME> HTML tags. This can be exploited to cause a buffer overflow via a
malicious HTML document containing overly long strings in e.g. the "SRC" and "NAME"
attributes of the <IFRAME> tag.
Successful exploitation allows execution of arbitrary code.
The vulnerability has been confirmed in the following versions:
* Internet Explorer 6.0 on Windows XP SP1
* Internet Explorer 6.0 on Windows 2000 .

NOTE: This advisory has been rated "Extremely critical" as a working exploit has been
published on public mailing lists. A variant of the MyDoom virus is now also exploiting this
vulnerability.

Microsoft Internet Explorer contains a buffer overflow vulnerability in its handling of embedded
objects in HTML documents. This vulnerability could allow an attacker to execute arbitrary code
on the victim's system when the victim visits a web page or views an HTML email message.

Internet Explorer supports the <EMBED> directive, which can be used to include arbitrary
objects in HTML documents. Common types of embedded objects include multimedia files, Java
applets, and ActiveX controls. The SRC attribute specifies the source path and filename of an
object. For example, a MIDI sound might be embedded in a web page with the following HTML
code:

<EMBED TYPE="audio/midi" SRC="/path/sound.mid" AUTOSTART="true">

Internet Explorer uses attributes of the <EMBED> directive and MIME information from the
web server to determine how to handle an embedded object. In most cases, a separate application
or plugin is used.

A group of Russian researchers, SECURITY.NNOV, has reported that Internet Explorer does not
properly handle the SRC attribute of the <EMBED> directive. An HTML document, such as a
web page or HTML email message, that contains a crafted SRC attribute can trigger a buffer
overflow, executing code with the privileges of the user viewing the document.

According to the Severity Rating for the "Buffer Overrun in HTML Directive" vulnerability
in MS02-005, Internet Explorer 5.5 and 6.0 are vulnerable. Outlook and Outlook Express are
also vulnerable, since they use Internet Explorer to render HTML email messages. Other
applications that use the Internet Explorer HTML rendering engine, such as America Online
(AOL), Windows compiled HTML help (.chm) files, and third-party email clients may also be
vulnerable.

The CERT/CC is tracking this vulnerability as VU#932283, which corresponds directly to the
"buffer overrun" vulnerability described in Microsoft Security Bulletin MS02-005. This
vulnerability has been assigned the CVE identifier CAN-2002-0022.

&/2"#  !342 %

/!342

Microsoft Internet Explorer (IE) contains a buffer overflow vulnerability that can be exploited to
execute arbitrary code with the privileges of the user running IE.

A heap buffer overflow vulnerability exists in the way IE handles the SRC and NAME attributes
of HTML elements such as FRAME and IFRAME. Publicly available exploit code uses
JavaScript to prepare the heap by allocating memory with blocks that consist of NOP slides and
shell code. After mishandling overly long SRC and NAME attributes, IE dereferences a memory
address that may fall within one of the prepared heap blocks, running through the NOP slide and
executing the attacker's shell code. Without the ability to prepare the heap (i.e., without Active
scripting), it becomes more difficult for the attacker to execute arbitrary code. Note, however,
that an attacker could use techniques other than Active scripting to prepare the heap to more
easily execute arbitrary code.
It appears that this vulnerability was discovered using the mangleme tool.
Other programs (e.g., Outlook, Outlook Express, AOL, Lotus Notes) that use the WebBrowser
ActiveX control could be affected by this vulnerability.
Based on currently available information, IE 6 on Windows XP SP2 is not vulnerable.

/
# &
By convincing a user to view a specially crafted HTML document (e.g., a web page or an HTML
email message), an attacker could execute arbitrary code with the privileges of the user. The
attacker could also cause IE (or the program using the WebBrowser control) to crash.
Public reports indicate that this vulnerability is used by malicious code called Bofra (also
identified as variants of W32/MyDoom).

o$& 
5
SVRT - Bkis have just discovered vulnerability in Google Chrome 0.2.149.27
Details:
- Type of Issue: Buffer Overflow.
- Affected Software: Google Chrome 0.2.149.27.
- Exploitation Environment: Google Chrome (Language: Vietnamese) on Windows
XP SP2.

/
# &53
&%"&

(&#:
The vulnerability is caused due to a boundary error when handling the ³SaveAs´ function. On
saving a malicious page with an overly long title (<title> tag in HTML), the program causes a
stack-based overflow and makes it possible for attackers to execute arbitrary code on users¶
systems.
·   &&%"#  :
To exploit the Vulnerability, a hacker might construct a specially crafted Web page, which
contains malicious code. He then tricks users into visiting his Website and convinces them to
save this Page. Right after that, the code would be executed, giving him the privilege to make use
of the affected system.
4-3. :
Bkis Vietnam is a security research center in Vietnam. SVRT, which is short for Security
Vulnerability Research Team, is one of Bkis researching groups. SVRT specializes in the
detection, alert and announcement of security vulnerabilities in software, operating systems,
network protocols and embedded systems...

A vulnerability has been reported in Google Chrome, which can be exploited by malicious
people to compromise a user's system.
The vulnerability is caused due to an error when handling unspecified HTTP responses. This can
be exploited to cause a buffer overflow via a specially crafted HTTP response received from an
HTTP server.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is reported in versions prior to 2.0.172.33.
62,,5#&$·..
#5Google Chrome is
vulnerable to a buffer overflow in handling certain responses from HTTP servers. A specially
crafted response from a server could crash the browser and possibly allow an attacker to run
arbitrary code.
 +# 


· #·.
&  & %"&  &%

Performing some painting operations on a canvas while certain transformations are being applied
in Opera may result in heap buffer overflows. In most cases Opera will just freeze or terminate,
but in some cases this could lead to a crash which could be used to execute code. To inject code,
additional
Heap buffer
HTML5 techniques
canvas can bewill
overflow have
inused
HTML5 tocanvas
be employed.
to execut can be used to execute arbitrary couffer overflow in
Marcin Ressel has discovered vulnerability in Opera, which can be exploited by malicious
people to compromise a user's system.

The vulnerability is caused due to an error when processing HTTP responses having a
malformed "Content-Length" header. This can be exploited to cause a heap-based buffer
overflow via an overly large 64-bit "Content-Length" value, having the higher 32-bit part
negative.
Successful exploitation may allow execution of arbitrary code.
The vulnerability is confirmed in version 10.50 for Windows. Other versions may also be
affected.

# 76, $ 7· % 

Vulnerability has been identified in Opera, which could be exploited by remote attackers to
compromise a vulnerable system. This issue is caused by a buffer overflow error when
processing malformed HTTP "Content-Length:" headers, which could be exploited by remote
attackers to crash an affected browser or execute arbitrary code by tricking a user into visiting a
web page hosted on a malicious web server.
VUPEN confirmed the vulnerability with Opera version 10.50 on Windows XP SP3.
An error related to the processing of certain XSLT constructs could allow a malicious web page
to retrieve contents from arbitrary web sites.