lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 1 Mar 2009 01:23:08 +0200
From: "MustLive" <mustlive@...security.com.ua>
To: <bugtraq@...urityfocus.com>
Subject: Re: Nokia N95-8 browser denial of service

Hello Thierry!

About your message concerning crash in Firefox 3.0.6 
(http://securityvulns.ru/Vdocument307.html). Which has similar DoS 
vulnerability as Nokia N95-8 browser.

Some time ago I read your message and also checked Firefox 3.0.6 and 
confirmed the crash in it. What I can tell you about this hole.

In the beginning of September 2008 I already wrote about such DoS 
vulnerability in Mozilla Firefox (http://websecurity.com.ua/2421/). Which 
leads to that after running of the exploit the browser begun taking 100% of 
CPU resources and freezes.

The attack was based on using nested marquee tags (this hole was already 
found in Firefox 1.0 and 1.5). Vulnerable were Mozilla Firefox 3.0.1 and 
previous versions. This vulnerability was first publicly disclosed DoS in 
Firefox 3. My exploit don't use JavaScript (as Juan's exploit), just only 
use HTML. For attacking purposes it's better to use plain HTML exploit, 
which allows to bypass such protections as turning off JavaScript or using 
addons like NoScript.

I informed Mozilla about this hole (on email) and published it at Bugzilla 
(https://bugzilla.mozilla.org/show_bug.cgi?id=454434). But Mozilla 
completely ignored it (as all other vulnerabilities, which I informed them 
about in 2007, 2008 and 2009 years). For example last hole in Firefox 3, 
which I disclosed 13.02.2009 (and informed Mozilla) was Charset Inheritance 
vulnerability in Mozilla Firefox 3 (http://websecurity.com.ua/2879/) - and 
they even didn't answered me yet about it. For example, when I informed 
Google about Charset Inheritance vulnerability in Google Chrome 
(http://websecurity.com.ua/2844/), they quickly answered me - that they 
decided to not fix it (but still not ignored letter like Mozilla).

In September 2009 DoS vulnerability in SeaMonkey was found 
(http://websecurity.com.ua/2820/), which uses the same attack (on 
marquee-vulnerability which was ignored by Mozilla). But unlike FF, 
SeaMonkey crashes - this is already another type of DoS vulnerabilities in 
browser (http://websecurity.com.ua/2550/). And in February you found that 
last version of Firefox also crashes.

So Mozilla not only didn't fix the vulnerability, which I found in Firefox 
3.0.1 (and which was known yet in FF1), but even strengthened it in last 
versions of the browser. They altered it from resources consumption DoS to 
crashing DoS. This situation similar to Charset Inheritance vulnerability in 
Mozilla Firefox 3, which wasn't in Firefox 3.0.1 and previous versions 
(after fix in 2007), but which Mozilla "added" in Firefox from version 
3.0.2.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ