Recently, a piece of Mozilla Firefox exploit code has been released on the Internet. If users open this piece of code (via a website) with Firefox version 3.5 or 3.6, the browser will be crashed.
Figure 1 – php code released on the Internet
This piece of code is written in PHP. After being processed by server, a piece of html code will be returned to users’ browser, causing the crash. According to the above PHP code, the html document returned contains 500 nested <marquee> tags.
Figure 2 – html code returned
The marquee tag is a non-standard html element which allows its html content to scroll left, right, up or down automatically. Due to its non-standard html display (often static), the module processing marquee tag is different from those processing other tags. Specifically, on analyzing this error, we find that Firefox employs xul module to process this tag.
Initially, perform the complete Firefox’s execution process under OllyDbg’s supervision. The vulnerability is found in xul module, causing full stack; thus, no more memory can be provided. Looking at the Figure 3, it can be seen that the program encounters an exception at call command. This can be explained as follow: to perform a call command, it needs to be pushed onto the stack address of the next command; however, the stack memory of program is full, causing the program to crash.
So what makes the stack full? We have debugged and found out that marquee tags are processed by a recursive function. On finding the opening tag <marquee>, this function is called, and it only returns when detecting the closing tag </marquee>.
Figure 4 – Nested call commands
As can be seen from the above figure (call stack), the functions are repeatedly called in a sequence and in each block, and they are all not-yet-returned functions. This proves that these functions are recursively called. To ensure the preciseness of this conclusion, we have reduced the <marquee> tags number in the error code and put break point at one of the function-call positions in the above table (0x103EE0A8). We found that functions are called a limited number of times and return normal value. Specifically, at the address of 0x103EE0A8, the frequency of the calls is the same as the number of <marquee> tags reported, and the functions only return the value of the last function-call. From debug process, we realized that each time there is a recursion query to 0x103EE0A8, a 0x1980 byte memory space on stack is not released. So we can see why a lot of nested <marquee> tags could lead to full stack and inability to respond.
Recursive function is like a two bladed knife. It is useful for programmers in case they do not wish to use infinite loop. On the other hand, if recursion termination is not properly managed, the stack size will keep increasing, leading to the inability to respond like the vulnerability in this case. Mozilla has not patched this vulnerability yet.
Analyst: Mai Xuan Cuong