The usage of exploits in current threats underlines the critical need for users to keep programs updated at all times. Considering the great amount of time people spend on their computers connected to the Internet, web browsers are prime targets for cybercriminals.

This is a technical analysis of a recently discovered vulnerability in one of the most-used web browser: Mozilla Firefox.

This Mozilla Firefox vulnerability was discussed by Charis Rohlf and Yan Lvnitskiy during their presentation, Attacking Clientside JIT Compilers at the Black Hat Conference in Las Vegas earlier this year.

This vulnerability, identified as CVE-2011-2371, lies in the Js3250.dll library and Js3250!array_reduceRight function in Mozilla Firefox, and affects versions earlier than 3.6.18, as well as versions 4.0 through 4.0.1. Two proofs-of-concept for this vulnerability were already disclosed publicly earlier this month by Matteo Memelli and metasploit.

We performed some analysis through reverse engineering and tested with the published proof of concept. Through this, we were successfully able to execute arbitrary remote code on Firefox 3.6.16.

Vulnerability Analysis

The following is a sample exploit code:

This code sets the array object length to a long value that will be handled as an unsigned integer. This will call reduceRight function on new Array.

Read the rest of this entry »

If you are a frequent reader of this blog, you are more or less already familiar with denial-of-service (DoS) attacks. Such an attack typically targets specific systems or servers and “floods” it with information in order to prevent legitimate users from accessing information or services.

This time around, we observed a DoS attack exploiting a specific vulnerability. This is different from the usual known DoS attack methods. DoS attacks are typically done by flooding the target site with traffic (SYN flooding, UDP flooding, ICMP flooding). What makes this attack noteworthy, however, is that it does not require the use of a huge amount of traffic. All the attacker has to do is to send the especially crafted HTTP request, which will render the site inaccessible.

We recently did a deeper analysis of the said vulnerability (CVE-2011-3192) found in certain versions of Apache HTTP Server that allows a remote attacker to conduct a DoS attack by sending a small HTTP request.

The vulnerability exists in the byterange filter in Apache HTTP Server 1.3.x, 2.0.x through 2.0.64 and 2.2.x through 2.2.19. It can be exploited by a range header that expresses multiple overlapping ranges. The proof of concept for the exploit that abuses this vulnerability was published in August. A tool that conducts DoS attacks by exploiting this vulnerability was later created and dubbed as the “Apache Killer.” Apache already patched this security hole last week.

A typical attack scenario exploiting this vulnerability involves sending an HTTP request with multiple range:bytes header to the Apache server.

Read the rest of this entry »