lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 1 Jun 2010 02:32:15 +0530
From: "John Smith" <at-x@...e.com>
To: "MustLive" <mustlive@...security.com.ua>,
	"Susan Bradley" <sbradcpa@...bell.net>
Cc: <bugtraq@...urityfocus.com>
Subject: Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera

Hi Mustlive,
I'm not sure if there's a need to discuss or clarify this any further. 
Please refer to my earlier posts, and for the sake of saving some of our 
time & efforts, avoid drawing tangents about scripts and noscripts (I've 
clarified both earlier) & weasel words (security vulnerability and nntp 
exploit - irrelevent in this case).
JS or no-JS, this issue is nothing new, this behavior is well-defined and a 
necessity and definitely not a URI (of any kind) exploit or a security 
vulnerability.

Some last specifics (mostly reiterating what I said in my earlier posts) -
1. You can take this issue up with the content aggregators (CDN etc) and or 
website programmers, this is not an issue to be addressed by the webbrowsers 
because the solution of it remains imperfect in theory (one of my posts have 
a 'workaround'...maybe a 'good to have' feature which WILL open up another 
can of worms...).
2. Now the even vague non-scripted issue which you insist upon - If you are 
trying to say that a 1000 lines of <iframe src='nntp:something'/> (which is 
executed sequentially by any JVM as a fact) is an 'exploit' and 'security 
vulnerability', isn't there a HUGE point missing?
NOTE: again, I'm not sure why you claim its an 'nntp' exploit. As I noted 
earlier, its applicable to any uri handler and their behaviour is nothing 
unexpected.
3. Your POC had used JS and is non-functional without scripting enabled. It 
was taken offline since I last checked (my 2nd last post?), which should 
have been your sample reference for this discussion (its appearing to shift 
now).

Best Regards,
w

--------------------------------------------------
From: "MustLive" <mustlive@...security.com.ua>
Sent: Monday, May 31, 2010 9:33 PM
To: "Susan Bradley" <sbradcpa@...bell.net>
Cc: <bugtraq@...urityfocus.com>
Subject: Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and 
Opera

> Hello Susan and other readers, who replied to my previous advisory.
>
> Earlier I've already answered Vladimir, now I'd answer Susan and soon I'd
> answer John. But now one important note to every reader of the list,
> including John Smith. Which I already wrote about 1,5 week ago (after
> posting of a first advisory about DoS in browsers) to one reader of
> Full-disclosure who inattentively read that advisory (he missed message
> about attacking without JS) and also to Mozilla (who became discussing 
> this
> issue and only drew attention to attacking with JS vector). That, as I 
> wrote
> in both advisories, this attack via iframes can also be conducted without
> JavaScript. So even turning JS off will not help.
>
> Due to advantages of JS exploit for these vulnerabilities over non-JS
> exploit, I wrote JavaScript exploits for these advisories and I'd write 
> for
> future advisories (but I'd be reminding about possibility of attacking
> without JS). But soon I'll present one exploit also in "pure-iframe" 
> version
> (without JS) for Internet Explorer and other applications - in case when
> small amount of iframes lead to crash.
>
>> Thank you.  Now if you could wait for patches before disclosing I'd be
>> even happier.
>
> Susan, you are welcome.
>
> I would be happy to wait for patches of browser vendors, but as already
> told you in details, it's not possible due to behavior of browser vendors.
> All they mostly ignore such holes, all they don't count DoS as
> vulnerabilities, they called them "stability issues" and so don't attend 
> to
> them seriously (and not fixing or fixing slowly). I don't respect such
> statement as "stability issues" for DoS holes, and during 2008-2010 I 
> worked
> hard to change vendors' mind on this issue, but they still ignore it.
>
> Also, as I already told you, they never told if they fixed or not such 
> holes
> (especially taking into account that they almost always ignore my letters
> with such holes or, as Opera did few times, answering with "it's stability
> issues" statement). So I have no possibility to know from them if they 
> fixed
> it or not - and because they don't care about such issues (ignoring them 
> or
> calling them stability issues), they never mentioned about them in vendors 
> advisories. Only one time Microsoft informed me about fixing DoS hole in 
> Outlook - even they called it stability issue they informed me after they 
> released a patch for it (which was serious approach, but not Microsoft for 
> IE, nor other vendors use such approach for DoS holes in browsers).
>
> But take into account that I informed (at 26.05.2010) all four browser
> vendors about many vulnerabilities, which I'll disclose in the future. So
> they are informed for long time in advance :-). And so you have no need to
> worry, because with every day they become more and more "informed long 
> time
> ago" and have more and more days to fix these holes.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
>
> ----- Original Message ----- 
> From: "Susan Bradley" <sbradcpa@...bell.net>
> To: "MustLive" <mustlive@...security.com.ua>
> Cc: <bugtraq@...urityfocus.com>
> Sent: Friday, May 28, 2010 7:06 PM
> Subject: Re: [Suspected Spam]DoS vulnerabilities in Firefox, Internet
> Explorer, Chrome and Opera
>
>
>> Thank you.  Now if you could wait for patches before disclosing I'd be
>> even happier.
>>
>> MustLive wrote:
>>> Hello Bugtraq!
>>>
>>> I want to warn you about security vulnerability in different browsers.
>>>
>>> -----------------------------
>>> Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and
>>> Opera
>>> -----------------------------
>>> URL: http://websecurity.com.ua/4238/
>>> -----------------------------
>>> Affected products: Mozilla Firefox, Internet Explorer 6, Internet
>>> Explorer
>>> 8, Google Chrome, Opera.
>>> -----------------------------
>>> Timeline:
>>>
>>> 26.05.2010 - found vulnerabilities.
>>> 26.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
>>> Susan Bradley must be happy :-).
>>> 27.05.2010 - disclosed at my site.
>>> -----------------------------
>>> Details:
>>>
>>> After publication of previous vulnerabilities in different browsers, I
>>> continued my researches and found many new vulnerabilities in browsers,
>>> which I called by general name DoS via protocol handlers, to which
>>> belonged
>>> and previous DoS attack via mailto handler.
>>>
>>> Now I'm informing about DoS in different browsers via protocols news and
>>> nntp. These Denial of Service vulnerabilities belongs to type
>>> (http://websecurity.com.ua/2550/) blocking DoS and resources consumption
>>> DoS. These attacks can be conducted as with using JS, as without it (via
>>> creating of page with large quantity of iframes).
>>>
>>> DoS:
>>>
>>> http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit2.html
>>>
>>> This exploit for news protocol works in Mozilla Firefox 3.0.19 (and
>>> besides
>>> previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6
>>> (6.0.2900.2180), Internet Explorer 8 (8.0.7600.16385), Google Chrome
>>> 1.0.154.48 and Opera 9.52.
>>>
>>> In all mentioned browsers occurs blocking and overloading of the system
>>> from
>>> starting of Opera, which appeared as news-client at my computer, and IE8
>>> crashes (at computer without Opera). And in Opera the attack is going
>>> without blocking, only resources consumption (more slowly then in other
>>> browsers).
>>>
>>> http://websecurity.com.ua/uploads/2010/Firefox,%20IE%20&%20Opera%20DoS%20Exploit.html
>>>
>>> This exploit for nntp protocol works in Mozilla Firefox 3.0.19 (and
>>> besides
>>> previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6
>>> (6.0.2900.2180) and Opera 9.52.
>>>
>>> In all mentioned browsers occurs blocking and overloading of the system
>>> from
>>> starting of Opera, which appeared as nntp-client at my computer. In IE8
>>> the
>>> attack didn't work - possibly because that at that computer there was no
>>> nntp-client, Opera in particular. And in Opera the attack is going
>>> without
>>> blocking, only resources consumption (more slowly then in other
>>> browsers).
>>>
>>> Best wishes & regards,
>>> MustLive
>>> Administrator of Websecurity web site
>>> http://websecurity.com.ua
>
> 

Powered by blists - more mailing lists