[Reportbug-maint] Iceweasel xulrunner-18.0/libxul.so Stack Corruption Vulnerability
Sandro Tosi
morph at debian.org
Tue Feb 3 13:47:17 UTC 2015
Hello,
I'm unsure why you reported this bug here, instead of xulrunner.
On Tue, Feb 3, 2015 at 1:40 PM, Veysel hataş <vhatas at gmail.com> wrote:
> 'exploitable' version 1.04
> Linux kali 3.7-trunk-amd64 #1 SMP Debian 3.7.2-0+kali6 x86_64
> Signal si_signo: 2 Signal si_addr: 0x0
> Nearby code:
> 0x00007ffff7179e1f <+63>: mov rsi,QWORD PTR [rsp+0x10]
> 0x00007ffff7179e24 <+68>: mov rdi,QWORD PTR [rsp+0x18]
> 0x00007ffff7179e29 <+73>: mov eax,0x7
> 0x00007ffff7179e2e <+78>: movsxd rdx,edx
> 0x00007ffff7179e31 <+81>: syscall
> => 0x00007ffff7179e33 <+83>: mov rdx,rax
> 0x00007ffff7179e36 <+86>: cmp rdx,0xfffffffffffff000
> 0x00007ffff7179e3d <+93>: ja 0x7ffff7179e62 <poll+130>
> 0x00007ffff7179e3f <+95>: mov edi,r8d
> 0x00007ffff7179e42 <+98>: mov DWORD PTR [rsp+0x18],eax
> Stack trace:
> # 0 poll at 0x7ffff7179e33 in /lib/x86_64-linux-gnu/libc-2.13.so (BL)
> # 1 None at 0x7ffff56ee399 in /usr/lib/xulrunner-18.0/libxul.so
> # 2 None at 0x7ffff0a84624 in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4
> # 3 g_main_context_iteration at 0x7ffff0a84744 in
> /lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4
> # 4 None at 0x7ffff56ee348 in /usr/lib/xulrunner-18.0/libxul.so
> # 5 None at 0x7ffff5704321 in /usr/lib/xulrunner-18.0/libxul.so
> # 6 None at 0x7ffff570443a in /usr/lib/xulrunner-18.0/libxul.so
> # 7 None at 0x7ffff589d9b4 in /usr/lib/xulrunner-18.0/libxul.so
> # 8 None at 0x7ffff5873023 in /usr/lib/xulrunner-18.0/libxul.so
> # 9 None at 0x7ffff579550d in /usr/lib/xulrunner-18.0/libxul.so
> # 10 None at 0x7ffff58bbf23 in /usr/lib/xulrunner-18.0/libxul.so
> # 11 None at 0x7ffff5703d09 in /usr/lib/xulrunner-18.0/libxul.so
> # 12 None at 0x7ffff55e06ab in /usr/lib/xulrunner-18.0/libxul.so
> # 13 None at 0x7ffff4daa9d7 in /usr/lib/xulrunner-18.0/libxul.so
> # 14 None at 0x7ffff4dacb0e in /usr/lib/xulrunner-18.0/libxul.so
> # 15 XRE_main at 0x7ffff4dacd27 in /usr/lib/xulrunner-18.0/libxul.so
> # 16 _start at 0x402e9f in /usr/lib/iceweasel/iceweasel
> Faulting frame: # 1 None at 0x7ffff56ee399 in
> /usr/lib/xulrunner-18.0/libxul.so
> Description: Uncategorized signal
> Short description: UncategorizedSignal (21/21)
> Hash: adc0e910413c8277a93597dded2c019d.1211be7b00de99ac3cd4df53848c15b4
> Exploitability Classification: UNKNOWN
> Explanation: The target is stopped on a signal. This may be an exploitable
> condition, but this command was unable to categorize it.
>
>
> 'exploitable' version 1.04
> Linux kali 3.7-trunk-amd64 #1 SMP Debian 3.7.2-0+kali6 x86_64
> Signal si_signo: 2 Signal si_addr: 0x0
> Nearby code:
> __main__:172: UserWarning: Cannot access memory at address 0x7ffff7179de0
> Stack trace:
> # 0 poll at 0x7ffff7179e33 in None
> # 1 None at 0x7ffff56ee399 in None (BL)
> Faulting frame: # 0 poll at 0x7ffff7179e33 in None
> Description: Possible stack corruption
> Short description: PossibleStackCorruption (6/21)
> Hash: 11be9dafbbcc937095c565339a340994.11be9dafbbcc937095c565339a340994
> Exploitability Classification: EXPLOITABLE
> Explanation: GDB generated an error while unwinding the stack and/or the
> stack contained return addresses that were not mapped in the inferior's
> process address space and/or the stack pointer is pointing to a location
> outside the default stack region. These conditions likely indicate stack
> corruption, which is generally considered exploitable.
> Other tags: UncategorizedSignal (21/21)
>
>
> _______________________________________________
> Reportbug-maint mailing list
> Reportbug-maint at lists.alioth.debian.org
> http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/reportbug-maint
--
Sandro Tosi (aka morph, morpheus, matrixhasu)
My website: http://matrixhasu.altervista.org/
Me at Debian: http://wiki.debian.org/SandroTosi
More information about the Reportbug-maint
mailing list