lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 20 Apr 2005 18:01:29 +0000
From: patrick <mccpat@...il.com>
To: Andrew <gluttony@...il.com>, bugtraq@...urityfocus.com
Subject: Re: Microsoft Windows image rendering DoS vuln


Andrew wrote:

>                   Alpha-Pi-Omicron Pi-Alpha-Nu-Tau-Omicron-C?
>      Kappa-Alpha-Kappa-Omicron-Delta-Alpha-Iota-Mu-Omicron-Nu-Omicron-C?
>   __    ___  __ _____         _       _        
> ___                       _ _
>  / /   /___\/ // _  /   /\  /(_) __ _| |__     / __\___  _   _ _ __  
> ___(_) |
> / /   //  // / \// /   / /_/ / |/ _` | '_ \   / /  / _ \| | | | '_ \ /
> __| | |
> / /___/ \_// /___/ //\ / __  /| | (_| | | | | / /__| (_) | |_| | | | |
> (__| | |
> \____/\___/\____/____/ \/ /_/ |_|\__, |_| |_| \____/\___/ \__,_|_|
> |_|\___|_|_|
>                                
> |___/                                        
> Overview
>
> There exists a vulnerabilility in the way Microsoft Windows handles
> the rendering
> of images. By resizing an image with html properties to an extremely
> large size an
> attacker may perform a very quick and effective denial of service
> attack upon a
> victim.
>
>
> I. Description and PoC
>
> Only clients running Internet Explorer, Firefox, or Avant in Windows
> 2k or XP have
> been confirmed to be vulnerable. Opera does it's own image rendering
> and is not
> ulnerable to this method of attack. The status of Longhorn is not
> known. Other
> operating systems, including Mac OS X and Linux are not vulnerable.
>
> You may point your browser to this URL to see a live demonstration of
> this attack:
>
> http://www.livejournal.com/users/deeplolz
>
> This may cause an instant reboot or bluescreen detailing a problem
> with your video
> drivers. Other possibilities include an extended period of poor
> performance until
> next reboot, a short to medium period of nonfunctionality or a crash
> of the
> browser.
>
>
> II. Impact
>
> Because this attack can be performed anywhere an img src is allowed,
> there are
> many forums including blogs, messageboards, and others which are
> vulnerable. It
> is hopeful that Microsoft will release a patch for this attack as soon as
> possible.
>
>
> III. Solution
>
> Until a patch is released you are advised to use the Opera web
> browser. It might
> also be possible to write a script for the Firefox "GreaseMonkey"
> extension which
> performs a workaround for this attack. Such as setting height and
> width of images
> to 5000 pixels if they are currently set to render at over 5000.
>
>
> Very special shouts: Girlvinyl, Hepkitten, Confkids, and Frienditto
> (Come back!!!
> We need you badly, FD!)
>
> Shouts:
> LJD, LJ-Zeera, Encyclopedia Dramatica, Lulz News Network, Project
> Mayhem, Amalea,
> Wednesday Night Karate Explosion, The Gundanium Alloys Manufacturers
> Association,
> Richmond Flash Mob Society, RVA_BS, RVA_FYAD, Brad Fitzpatrick, Mena
> Trott, SALJ,
> The International Department of Internet Security, #telconinjas,
> undernet #drugs,
> The Kadaitcha Dancers, psychotic vegans, Warren Ellis, and pro-ana
> preteen girls.
>
Hmm, a few things.

1) That site is down. Has been down ever since I got this email.
2) I created a site with this HTML code:

/././././././././././././

<html>
<body>
<p>If you are using IE, YOU SUCK! Just kidding.<br>
If you're in Window$ though, this should crash your puter<br>
or give you a BSOD. HAVE FUN BUDDY! MUA HA HA!</p>

<img src="http://thepcelement.com/hardware/neowinscreenie.jpg"
height="9999999999999999999999999999999999999999999999999991"
width="999999999999999999999999999999999999999999999999999999999999999991">

</body>
</html>

/./././././././././././

Yet no crash, this was on my Dad's PC running Window$ XP, no SP2,
Firefox and Internet Exploder, the image was all white, no slowdown or
anything.

Can you tell me what I'm doing wrong and give me the source to that page
you had up as a live demonstration? I'm interested to see more about
this vulnerability.

Thanks for posting, have a nice day,

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ