| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 26 Oct 2004 20:21:53 +0200 From: "Peter Kruse" <kruse@...sesecurity.dk> To: <bugtraq@...urityfocus.com> Subject: Rendering large binary file as HTML makes Mozilla Firefox stop responding Rendering large binary file as HTML makes Mozilla Firefox stop responding Summary Mozilla Firefox, Web-browser and a strong alternativ to Internet Explorer. The Mozilla Firefox shippes with several bugs, making it possible to hang the browser, eat up virtual memory, simply by hosting a binary renamed as html, on a remote website. Details Internet Explorer, and other browsers, verifies the content of filetypes before opening in the browser (I'm not saying this is the best behaviour). Based on the content of the file, it decides what application should be used to open/view the content of the file. This is, by design, not the case with Mozilla based browsers. A malicious website can host a large chunck of data, spoofed as a html file that Mozilla will display within the browser window. Thereby effectively causing a crash on systems visiting the website. You can choose any file from your harddisk larger than 5MB, rename it as a html file, upload it to a remote website, or simply open it directly from your local harddrive. The result is the same: Mozilla will stop responding, showing a lot of binary garbage (clearly understandable), before the user is forced to either end the application or reboot the system. In several test scenarios the system force feed all virtual memory causing the system to become unstable. However, this all depends on the size of the file viewed by the browser. To avoid the user from being suspicious while the file loads and garbage is showed in the browser window you can format the website in such a way that garbage won't show. This way the browser will show a blank page until it crashes and the system becomes unstable. When viewed, the browser will load the binary without the users knowledge. The fact that this bug can be trigged by sending the same file with 1024 ASCII characters pre-pended makes exploitation trivial. This is not sorely related to trivial memory consumption. Mozilla Firefox will crash long before. Impact Low-Medium: This is a remote DoS in Mozilla Firefox. There are several other ways to crash the browser. This behavior was confirmed with Mozilla/5.0 (Windows; U; Windows NT 5.1; rv:1.7.3) Gecko/20040913 Firefox/0.10, but my guess is that all versions of Mozilla introduce the problem. Solution Awaiting fix Affected Products Mozilla/5.0 Gecko/20040913 Firefox/0.10 and prior A small PoC can be found at this URL. Please note that the PoC is simply a binary renamed to html. No masquarading, no hiding. http://www.csis.dk/sp3.html Mozilla will usally stop responding after approx 20 seconds. --- Med venlig hilsen // Kind regards Peter Kruse, Security- and virusanalyst, Combined Services and Integrated Solutions http://www.csis.dk
Powered by blists - more mailing lists