Mozilla Firefox: Proof-of-Concept (PoC) codes

October 27, Mozilla developers fixed several vulnerabilities in the browser engine used in Firefox and other Mozilla-based products. Vulnerabilities fixed in 3.0.15 and 3.5.4 versions.

CVE reference:
CVE-2009-1563, CVE-2009-3370, CVE-2009-3371, CVE-2009-3372, CVE-2009-3373, CVE-2009-3374, CVE-2009-3375, CVE-2009-3376, CVE-2009-3377, CVE-2009-3378, CVE-2009-3379, CVE-2009-3380, CVE-2009-3381, CVE-2009-3382, CVE-2009-3383

Complete list of Proof-of-Concept codes (crash triggers)

1. (CVE-2009-3382) CSS Frame Constructor (layout/base/nsCSSFrameConstructor.cpp) in the browser engine does not properly handle first-letter frames


function doe2(i) {
document.getElementById(\'a\').setAttribute(\'style\', \'display: -moz-box; \');
document.getElementById(\'c\').style.display= \'none\';
div::first-letter {float: right; }

<div style=\"width: 50px; -moz-column-count: 2;\">
<span style=\"display: table-cell;\"></span><div style=\"display: -moz-box; font-size: 43px;\">
<span id=\"a\">
<span style=\"display: -moz-box;\">
<span id=\"c\">m</span>


2. (CVE-2009-1563) Array indexing error in NSPR\’s Balloc() leads to floating point memory vulnerability

Secunia Research Details:

The s2b() function takes the total number of digits and determines the first number K for which : 1 <= (numdigits + 8)/9.

K is then passed to Balloc() to allocate memory. Balloc() dereferences the static \”freelist\” buffer of 16 elements using K as an index. If K is above 15, malformed pointers following the freelist array will be returned from Balloc().

  1. #define Kmax 15
  2. ...
  3. static Bigint *freelist[Kmax+1];
  4. ...
  5. Balloc ..(k)..
  6. ...
  7. if (rv = freelist[k]) { <-- out of bounds
  8. freelist[k] = rv->next;
  9. }
  10. ...
  11. return rv;

For e.g. K = 17, a pointer to a limited heap buffer is returned from Balloc(), and used to hold the converted big number. This results in a heap-based buffer overflow, followed by a call to a function grabbed from a corrupted pointer to a virtual function table. This results in the execution of an arbitrary address when paired with heap spraying.

PoC #1:
PoC #2 (Secunia):
PoC #3:

3. (CVE-2009-3375) Cross-origin data theft through document.getSelection()


Select destination for iframe and select \’go\’. Make a text selection and the
content should be displayed in an alert box.

4. (CVE-2009-3378) Crash while loading .ogg video

The oggplay_data_handle_theora_frame function (media/liboggplay/src/liboggplay/oggplay_data.c) in liboggplay attempts to reuse an earlier frame data structure upon encountering a decoding error for the first frame, which allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) or possibly execute arbitrary code via a crafted .ogg video file.

Crash PoC (Video)

5. (CVE-2009-3371) Crash with recursive web-worker calls

Use-after-free vulnerability allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by creating JavaScript web-workers recursively.


2 thoughts on “Mozilla Firefox: Proof-of-Concept (PoC) codes

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.