| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 31 May 2010 14:41:52 +0200 From: "Jan G.B." <ro0ot.w00t@...glemail.com> To: MustDie <mustdieplease@...il.com> Cc: full-disclosure@...ts.grok.org.uk, MustLive <mustlive@...security.com.ua> Subject: Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera 2010/5/28 MustDie <mustdieplease@...il.com>: > On Fri, 28 May 2010 16:02:50 +0300 > "MustLive" <mustlive@...security.com.ua> wrote: > >> Hello Full-Disclosure! >> >> I want to warn you about security vulnerabilities in different browsers. >> >> ----------------------------- >> Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and >> Opera >> ----------------------------- >> URL: http://websecurity.com.ua/4238/ >> ----------------------------- >> Affected products: Mozilla Firefox, Internet Explorer 6, Internet Explorer >> 8, Google Chrome, Opera. >> ----------------------------- >> Timeline: >> >> 26.05.2010 - found vulnerabilities. >> 26.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera. >> 27.05.2010 - disclosed at my site. >> ----------------------------- >> Details: >> >> After publication of previous vulnerabilities in different browsers, I >> continued my researches and found many new vulnerabilities in browsers, >> which I called by general name DoS via protocol handlers, to which belonged >> and previous DoS attack via mailto handler. >> >> Now I'm informing about DoS in different browsers via protocols news and >> nntp. These Denial of Service vulnerabilities belongs to type >> (http://websecurity.com.ua/2550/) blocking DoS and resources consumption >> DoS. These attacks can be conducted as with using JS, as without it (via >> creating of page with large quantity of iframes). >> >> DoS: >> >> http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit2.html >> >> This exploit for news protocol works in Mozilla Firefox 3.0.19 (and besides >> previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6 >> (6.0.2900.2180), Internet Explorer 8 (8.0.7600.16385), Google Chrome >> 1.0.154.48 and Opera 9.52. >> >> In all mentioned browsers occurs blocking and overloading of the system from >> starting of Opera, which appeared as news-client at my computer, and IE8 >> crashes (at computer without Opera). And in Opera the attack is going >> without blocking, only resources consumption (more slowly then in other >> browsers). >> >> http://websecurity.com.ua/uploads/2010/Firefox,%20IE%20&%20Opera%20DoS%20Exploit.html >> >> This exploit for nntp protocol works in Mozilla Firefox 3.0.19 (and besides >> previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6 >> (6.0.2900.2180) and Opera 9.52. >> >> In all mentioned browsers occurs blocking and overloading of the system from >> starting of Opera, which appeared as nntp-client at my computer. In IE8 the >> attack didn't work - possibly because that at that computer there was no >> nntp-client, Opera in particular. And in Opera the attack is going without >> blocking, only resources consumption (more slowly then in other browsers). >> >> Best wishes & regards, >> MustLive >> Administrator of Websecurity web site >> http://websecurity.com.ua >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > Hi, > So, basically, this new vulnerability lies on spawning an infinite/huge amount of News Reader processes, right ? > Tested (both provided POC links) on Firefox 3.5.8, ended up with unlimited pop-ups from Firefox whining about having no news reader setup - no load generated, at all. > I hope the Firefox and Opera are taking action as this is a major security threat to any IT System. > > By the way, I found a similar vunlerability in bash 4.5.1, but this must impact other shells as well ! > Here you go: > > ======= NEW UNIVERSAL SHELL EXPLOIT ======= > Discovered by MustDie <mustdie@...tdie.com> http://www.mustdie.com > See http://www.mustdie.com for more infos ! > > Proof of concept script : > -------[ BEGINNING OF FILE: 1337hax.sh ]--------- > #!/bin/bash > #Hardcore vunl in bash, should impact other shells as well ! > #By MustDie <mustdie@...tdie.com> > #Don't forget to check out http://www.mustdie.com > #Inspired by MustDie's "researches" > while :; do > echo "SCALE=1000000000; 4*a(1)" | bc -l& > echo "0wn3d by 1337 r3s34|2ch3|2" > done > #Check out http://www.mustdie.com > -------[ END OF FILE: 1337hax.sh ]--------- > > This should bring any system down to its knees ! > This is definitely a critical vulnerability in Bash. > One cannot assume that telling bash to compute the first 1000000000 decimals of Pi in an infinite forking loop would result in such a thing - that's weird, unexpected behavior. > a CVE ID was requested for this issue. > > -- MustDie > Senior Lead Expert Security Researcher Hi 1337 r3s34|2ch3|2, Yeah, you're right! Bash should analyse the bash script, given parameters to programs and alike and then change the amount to a reasonable value of 100000000 decimals. Btw - have you yet alerted the world of fork bombs, at all?! We're waiting in awe. Regards _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists