lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
From: sapheriel at wwwp.de (Sapheriel) Subject: Firefox 0.92 DoS via TinyBMP what baffles me is how easily this problem could be countered. a simple check of bfsize versus filesize(-header and such) would suffice. i suppose you could implement a proximity algorithm to make the format more robust so it doesn't break at the tinyest corruption. -----Original Message----- From: full-disclosure-admin@...ts.netsys.com [mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of st3ng4h Sent: Tuesday, July 13, 2004 2:23 AM To: Ali Campbell Cc: full-disclosure@...ts.netsys.com; the_invincible@....de Subject: Re: [Full-Disclosure] Firefox 0.92 DoS via TinyBMP On Mon, Jul 12, 2004 at 10:12:40PM +0100, Ali Campbell wrote: > I agree when you say that it's probably a flaw in the BMP lib > implementation. But as I've pointed out once already, Windows isn't > the only afflicted platform: [snip] You're correct, and I'm glad you did point this out, because it may potentially affect many such implementations. The April bugtraq advisory that I provided URL for earlier (and again [1]) says: "When a BMP file loaded into the Internet Explorer (for exmaple 'IMG' tag) the internet explorer check the BMP image size written in BMP file, and then allocate the necessary memory to itself for placing bmp image into the memory." Also see MSDN's explanation of bitmap file structure [2] for more details. AFAICT, any program/library that allocates bfSize (in BITMAPFILEHEADER) bytes of memory, without verifying that this resembles the actual size of the bitmap file, will likely suffer from this problem in some form or another. Why this was not figured out in the original advisory or this one is beyond me; I have approximately zero experience as a bug-hunter and am mostly ignorant to Windows internals. What's more annoying is that the OP apparently just ripped off the PoC from the original (incorrect) IE advisory, did not credit the finder, and published it as a Firefox vulnerability. st3ng4h [1] http://www.securityfocus.com/archive/1/360166 [2] http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gdi/bitmaps _62uq.asp _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists