Lee wrote:
On 5/29/18, Frank-Rainer Grahl wrote:
Seems to be a "feature" of Sophos to report possible ROP problems in any
software. Use latest compatible Noscript and uBlock and just add an
exception in Sophos.
If one wanted to check and see if maybe the possible ROP problem
really was the result of executing a piece of malicious code from a
web site, how would you go about it?
I tried this:
C:\Temp>type startSM-with-logging.bat
@REM see
https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/HTTP_logging
@REM
@rem set
MOZ_LOG=timestamp,sync,rotate:200,nsHttp:5,cache2:5,nsSocketTransport:5,nsHostResolver:5
set MOZ_LOG=timestamp,sync,rotate:200,nsHttp:3
@rem nsHttp:3 log only http request and response headers
set MOZ_LOG_FILE=%TEMP%\sm-log.txt
"c:\Program Files (x86)\SeaMonkey\SeaMonkey.exe"
which is 1) more verbose than I'd like and 2) not so easy to parse.
Is there some other way to keep track of what all SeaMonkey gets off the web?
Thanks
Lee
Dirk Munk wrote:
Dirk Munk wrote:
I have Sophos anti-virus (etc.) running on my PC, and a few days ago it
reported a ROP problem with Seamonkey and closed it down.
After restarting Seamonkey everything was fine again.
Sophos gave this trace of the problem:
Mitigation ROP
Platform 10.0.17134/x64 v614 06_3a
PID 18136
Application C:\Program Files\SeaMonkey\seamonkey.exe
Description SeaMonkey 2.49.3
Callee Type LoadLibrary
Stack Trace
# Address Module Location
-- ---------------- ------------------------
----------------------------------------
1 00007FFD8A0FBC4D KernelBase.dll
2 00007FFD8D6927D7 ntdll.dll
3 00007FFD8D67AC26 ntdll.dll __C_specific_handler +0x96
4 00007FFD8D68EDCD ntdll.dll __chkstk +0x11d
5 00007FFD8D5F6C86 ntdll.dll
6 00007FFD8D68DCFE ntdll.dll KiUserExceptionDispatcher +0x2e
7 00007FFD3CFAF0FD xul.dll
80791000 CMP BYTE
[RCX+0x10], 0x0
7465 JZ 0x7ffd3cfaf168
83b91c2b000000 CMP DWORD
[RCX+0x2b1c], 0x0
7416 JZ 0x7ffd3cfaf122
498bc0 MOV RAX, R8
482500f0ffff AND RAX,
0xfffffffffffff000
488b4008 MOV RAX, [RAX+0x8]
83b87008000000 CMP DWORD
[RAX+0x870],
0x0
7446 JZ 0x7ffd3cfaf168
4d85c0 TEST R8, R8
740c JZ 0x7ffd3cfaf133
4881cae8ff0f00 OR RDX, 0xfffe8
833a01 CMP DWORD [RDX],
0x1
7435 JZ 0x7ffd3cfaf168
498bc0 MOV RAX, R8
4981e0a0c0ffff AND R8,
0xffffffffffffc0a0
8 00007FFD3A505F69 xul.dll
9 00007FFD3A50611B xul.dll
10 00007FFD3CFF9A07 xul.dll
Process Trace
1 C:\Program Files\SeaMonkey\seamonkey.exe [18136]
2 C:\Windows\explorer.exe [11128]
3 C:\Windows\System32\userinit.exe [10980]
4 C:\Windows\System32\winlogon.exe [812]
winlogon.exe
Thumbprint
6b7c6ddb5008f8cfec2b72d6c65841972bb2c3f0f227ed14ea6b1187aec1429d
This is a security problem. According to Sophos, Seamonkey is doing
something
it should not be doing, perhaps executing a piece of malicious code from a
web
site?
I've seen the problem more often now, and I wonder if someone can have a
look
at it?
_______________________________________________
support-seamonkey mailing list
[email protected]
https://lists.mozilla.org/listinfo/support-seamonkey
What is ROP? I found 4 possible expansions for that abbreviation.
Remote Operation
Readout Protection
Return-oriented Programming
RISC Operation (Reduced Instruction Set Code)
_______________________________________________
support-seamonkey mailing list
[email protected]
https://lists.mozilla.org/listinfo/support-seamonkey
