If at first you don't succeed; call it version 1.0
Sunday, 11 December 2005

A few days ago, ZIPL0CK introduced a new Denial Of Service vulnerability in Firefox. By creating a huge web page title, which will fill the history.dat file with large content, Firefox will hang for some time (depending the content size and the user's system) on the next time the user will try to use the browser.

Today, Mozilla foundation published an advisory, claiming this issue is not so serious, and that the unresponsiveness of the browser is only "temporary". This is true for the Proof-of-Concept exploit, and for people with strong computers. But by modifying the PoC, an attacker can easily achieve a humongous history.dat file which will cause the Firefox to hang (with 100% CPU utilization) for a LONG LONG time. So long, that most users will not wait just to delete the history as suggested by Mozilla foundation in the advisory. The right workaround would be to delete the history.dat file. Moreover, Mozilla foundation should acknowledge this problem as more severe, and address it as soon as possible.

This reminds me the last time Mozilla underestimated a vulnerability. I've also posted this issue to Full-Disclosure, but yet to receive response from Mozilla. 

I think it's been enough time for people to upgrade from v1.0.4. of Firefox. So, here is the PoC exploit for the InstallVersion.compareTo() vulnerability. The PoC does nothing but returns (this can be easily replaced with shell code), and it uses SkyLined's InternetExploiter2 methodology to inject code to the heap.

[UPDATE:] Apparently, Mozilla team has removed the access to the InstallVersion.compareTo() bug report page. I hope this means they will finally set the severity of this security hole in the advisory to higher than just 'Moderate'.

[Another Update:] Packetstorm has removed the Denial-of-Service exploit page. This PoC can be found at milw0rm.

[Last Update? :] The InstallVersion.compareTo() bug report page is opened again. Unfortunately, the severity of the vulnerability in the advisory is still 'Moderate' :(.

[Last Update! :] Victory! Well, Sort Of..

Sunday, 11 December 2005 13:36:24 UTC | Comments [10] | Security#
Tuesday, 13 December 2005 10:14:15 UTC
Wat ben jij een lul!
Tuesday, 13 December 2005 10:54:48 UTC
English please...
Aviv Raff
Tuesday, 13 December 2005 17:51:24 UTC
"Wat ben jij een lul!" - You're such a dick (http://babelfish.altavista.com/)

A Dutch news announcement has been made at http://webwereld.nl/articles/38797

A compareTo() Remote Code Execution Exploit has been published at http://www.milw0rm.com/id.php?id=1369

At your service!
Tuesday, 13 December 2005 18:31:08 UTC
lol .. and they say firefox is safe? muwhahaha .. dont make me laugh :p
Wednesday, 14 December 2005 00:55:38 UTC
I made bug 295854 public again. Sorry about that; I think I made it private accidentally.
Wednesday, 14 December 2005 03:58:53 UTC
You know, you could have gone to jail for this...
Wednesday, 14 December 2005 13:39:39 UTC
No he couldn't... it's a bug in the program that needed to be fixed.

And the level is at Critical now. ;)
Wednesday, 14 December 2005 14:51:32 UTC
Funny... there is a 'copyright' in your 'code'. Get a life, jackass.
Wednesday, 14 December 2005 15:02:21 UTC
Peter, the "copyright" is a reminder to "Exploits Databases" (like milw0rm/FrSirt etc.) not to remove my name. That's all.
Aviv Raff
Thursday, 11 January 2007 13:31:39 UTC
Came across this code "in the wild" today (2007-01-11), apparently from an "advertisement" pop-under that got opened by going to an ImageShack link. Currently it's at http://www.bpath.com/bannerexchange/hotbar/cr-4518.html (inside the frame the exploit is at

Makes me wonder if they are going for people who haven't updated their Mozilla/Firefox installs?

Anyway, since I found your copyright notice and URL in the code, I thought you would maybe find it interesting :-)
Comments are closed.     
Send me an Email
Follow me on Twitter
RSS Feeds
Admin Login
Sign In
The opinions expressed herein are my own personal opinions and do not represent my employer's view in anyway.