[RCE] Mozilla Firefox JSON.stringify

[Flubber]

Zero Day Initiative despre care am postat pe forum, dar aparent nu mai este thread-ul.

ZDI-11-103: Mozilla Firefox JSON.stringify Dangling Pointer Remote Code Execution Vulnerability

ZDI-11-103: Mozilla Firefox JSON.stringify Dangling Pointer Remote Code Execution Vulnerability

[URL="http://www.zerodayinitiative.com/advisories/ZDI-11-103"]Zero Day Initiative[/URL]

March 2, 2011

-- CVE ID:
CVE-2011-0055

-- CVSS:
9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)

-- Affected Vendors:
Mozilla

-- Affected Products:
Mozilla Firefox

-- TippingPoint(TM) IPS Customer Protection:
TippingPoint IPS customers have been protected against this
vulnerability by Digital Vaccine protection filter ID 10843. 
For further product information on the TippingPoint IPS, visit:

    [URL="http://www.tippingpoint.com/"]http://www.tippingpoint.com[/URL]
[B]
-- Vulnerability Details:[/B]
This vulnerability allows remote attackers to execute arbitrary code on
vulnerable installations of Firefox. User interaction is required to
exploit this vulnerability in that the target must visit a malicious
page or open a malicious file.

The specific flaw exists within js3250.dll. In the JSON.stringify() call
chain js_HasOwnProperty() is called with an invalid pointer. The pointer
becomes invalid due to being unrooted and garbage collection occurring.
Dereferecing of this pointer allows a remote attacker to execute
arbitrary code in the context of the user running the browser.

-- Vendor Response:
Mozilla has issued an update to correct this vulnerability. More
details can be found at:

[URL="http://www.mozilla.org/security/announce/2011/mfsa2011-03.html"]MFSA 2011-03: Use-after-free error in JSON.stringify[/URL]

-- Disclosure Timeline:
2010-12-01 - Vulnerability reported to vendor
2011-03-02 - Coordinated public release of advisory

-- Credit:
This vulnerability was discovered by:
    * regenrecht

Sursa: Full Disclosure: ZDI-11-103: Mozilla Firefox JSON.stringify Dangling Pointer Remote Code Execution Vulnerability