Document Title: =============== Mozilla Firefox v48.0.2 - (mozglue.dll) Denial of Service Date: ===== 2016-10-04 References: =========== https://www.vulnerability-lab.com/get_content.php?id=1953 VL-ID: ===== 1953 Common Vulnerability Scoring System: ==================================== 3 Vulnerability Class: ==================== Denial of Service Introduction: ============= Mozilla Firefox is a web browser open and free, developed and distributed by the Mozilla Foundation with the help of thousands of volunteers with the methods of development of free software / open source and freedom of source code. (Copy of the Homepage: https://www.mozilla.org/fr/firefox/new/ ) Abstract: ========= An independent vulnerability laboratory researcher discovered a denial of service vulnerability in the official Mozilla Firefox Browser v48.0.2. Report-Timeline: ================ 2016-10-04: Non-Public Disclosure (Vulnerability Laboratory - Shared Customer Research Feed) Status: ======== Published Affected Products: ================== Mozilla Product: Firefox - Browser (Software) v48.0.2 Exploitation-Technique: ======================= Remote Severity: ========= Medium Details: ======== A denial of service vulnerability has been discovered in the official Mozilla Firefox Browser v48.0.2. The issue can crash the local software process (mozglue.dll) via denial of service vulnerability. Proof of Concept: ================= The browser web vulnerability can be exploited by remote attackers without privileged user account and with low user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Exploitation (Javascript) --- PoC Debug Session Logs [WinDBG] --- Break instruction exception - code 80000003 (first chance) eax=00000000 ebx=00000000 ecx=5dee0a3e edx=00000000 esi=6e837466 edi=00ce70ce eip=6e82efe5 esp=00ce7088 ebp=00ce70d4 iopl=0 nv up ei pl nz na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200206 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Program FilesMozilla Firefoxmozglue.dll - mozglue!mozalloc_abort+0x2c: 6e82efe5 cc int 3 mozglue!mozalloc_abort+0x2c: 6e82efe5 cc int 3 6e82efe6 6a03 push 3 6e82efe8 c7050000000021000000 mov dword ptr ds:[0],21h 6e82eff2 ff151060836e call dword ptr [mozglue!double_conversion::DoubleToStringConverter::ToFixed+0xf96 (6e836010)] 6e82eff8 50 push eax 6e82eff9 ff155c60836e call dword ptr [mozglue!double_conversion::DoubleToStringConverter::ToFixed+0xfe2 (6e83605c)] 6e82efff cc int 3 mozglue!mozalloc_handle_oom: 6e82f000 55 push ebp lmvm mozglue start end module name 6e820000 6e83d000 mozglue (export symbols) C:Program FilesMozilla Firefoxmozglue.dll Loaded symbol image file: C:Program FilesMozilla Firefoxmozglue.dll Image path: C:Program FilesMozilla Firefoxmozglue.dll Image name: mozglue.dll Timestamp: Wed Aug 24 06:53:43 2016 (57BD2857) CheckSum: 0001E87D ImageSize: 0001D000 File version: 48.0.2.6079 Product version: 48.0.2.6079 File flags: 0 (Mask 3F) File OS: 4 Unknown Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0000.04b0 CompanyName: Mozilla Foundation ProductName: Firefox InternalName: Firefox OriginalFilename: mozglue.dll ProductVersion: 48.0.2 FileVersion: 48.0.2 FileDescription: 48.0.2 LegalCopyright: License: MPL 2 LegalTrademarks: Mozilla Comments: Mozilla Risk: ===== The security risk of the denial of service vulnerability in the firefox web-browser is estimated as medium (CVSS 3.0). Credits: ======== Vulnerability-Lab [research@vulnerability-lab.com] - https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability mainly for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact Social: twitter.com/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php Any modified copy or reproduction, including partially usages, of this file, resources or information requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list, modify, use or edit our material contact (admin@) to get a ask permission. Copyright © 2016 | Vulnerability Laboratory - [Evolution Security GmbH]™