Iceweasel xulrunner-18.0/libxul.so Stack Corruption Vulnerability

Veysel hataş vhatas at gmail.com
Tue Feb 3 13:55:36 UTC 2015 

'exploitable' version 1.04
Linux kali 3.7-trunk-amd64 #1 SMP Debian 3.7.2-0+kali6 x86_64
Signal si_signo: 2 Signal si_addr: 0x0
Nearby code:
   0x00007ffff7179e1f <+63>:	mov    rsi,QWORD PTR [rsp+0x10]
   0x00007ffff7179e24 <+68>:	mov    rdi,QWORD PTR [rsp+0x18]
   0x00007ffff7179e29 <+73>:	mov    eax,0x7
   0x00007ffff7179e2e <+78>:	movsxd rdx,edx
   0x00007ffff7179e31 <+81>:	syscall
=> 0x00007ffff7179e33 <+83>:	mov    rdx,rax
   0x00007ffff7179e36 <+86>:	cmp    rdx,0xfffffffffffff000
   0x00007ffff7179e3d <+93>:	ja     0x7ffff7179e62 <poll+130>
   0x00007ffff7179e3f <+95>:	mov    edi,r8d
   0x00007ffff7179e42 <+98>:	mov    DWORD PTR [rsp+0x18],eax
Stack trace:
#  0 poll at 0x7ffff7179e33 in /lib/x86_64-linux-gnu/libc-2.13.so (BL)
#  1 None at 0x7ffff56ee399 in /usr/lib/xulrunner-18.0/libxul.so
#  2 None at 0x7ffff0a84624 in /lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4
#  3 g_main_context_iteration at 0x7ffff0a84744 in
/lib/x86_64-linux-gnu/libglib-2.0.so.0.3200.4
#  4 None at 0x7ffff56ee348 in /usr/lib/xulrunner-18.0/libxul.so
#  5 None at 0x7ffff5704321 in /usr/lib/xulrunner-18.0/libxul.so
#  6 None at 0x7ffff570443a in /usr/lib/xulrunner-18.0/libxul.so
#  7 None at 0x7ffff589d9b4 in /usr/lib/xulrunner-18.0/libxul.so
#  8 None at 0x7ffff5873023 in /usr/lib/xulrunner-18.0/libxul.so
#  9 None at 0x7ffff579550d in /usr/lib/xulrunner-18.0/libxul.so
# 10 None at 0x7ffff58bbf23 in /usr/lib/xulrunner-18.0/libxul.so
# 11 None at 0x7ffff5703d09 in /usr/lib/xulrunner-18.0/libxul.so
# 12 None at 0x7ffff55e06ab in /usr/lib/xulrunner-18.0/libxul.so
# 13 None at 0x7ffff4daa9d7 in /usr/lib/xulrunner-18.0/libxul.so
# 14 None at 0x7ffff4dacb0e in /usr/lib/xulrunner-18.0/libxul.so
# 15 XRE_main at 0x7ffff4dacd27 in /usr/lib/xulrunner-18.0/libxul.so
# 16 _start at 0x402e9f in /usr/lib/iceweasel/iceweasel
Faulting frame: #  1 None at 0x7ffff56ee399 in /usr/lib/xulrunner-18.0/libxul.so
Description: Uncategorized signal
Short description: UncategorizedSignal (21/21)
Hash: adc0e910413c8277a93597dded2c019d.1211be7b00de99ac3cd4df53848c15b4
Exploitability Classification: UNKNOWN
Explanation: The target is stopped on a signal. This may be an
exploitable condition, but this command was unable to categorize it.


'exploitable' version 1.04
Linux kali 3.7-trunk-amd64 #1 SMP Debian 3.7.2-0+kali6 x86_64
Signal si_signo: 2 Signal si_addr: 0x0
Nearby code:
__main__:172: UserWarning: Cannot access memory at address 0x7ffff7179de0
Stack trace:
#  0 poll at 0x7ffff7179e33 in None
#  1 None at 0x7ffff56ee399 in None (BL)
Faulting frame: #  0 poll at 0x7ffff7179e33 in None
Description: Possible stack corruption
Short description: PossibleStackCorruption (6/21)
Hash: 11be9dafbbcc937095c565339a340994.11be9dafbbcc937095c565339a340994
Exploitability Classification: EXPLOITABLE
Explanation: GDB generated an error while unwinding the stack and/or
the stack contained return addresses that were not mapped in the
inferior's process address space and/or the stack pointer is pointing
to a location outside the default stack region. These conditions
likely indicate stack corruption, which is generally considered
exploitable.
Other tags: UncategorizedSignal (21/21)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20150203/41605e09/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: poc.pdf
Type: application/pdf
Size: 579827 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20150203/41605e09/attachment-0001.pdf>

More information about the pkg-mozilla-maintainers mailing list