lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 30 Apr 2012 15:37:08 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <submissions@...ketstormsecurity.org>, <full-disclosure@...ts.grok.org.uk>
Subject: DoS vulnerabilities in Firefox,
	Internet Explorer and Opera

Hello list!

I want to warn you about Denial of Service vulnerability in Mozilla Firefox, Internet Explorer and Opera. Earlier there was published DoS vulnerability in browser Opera 10.10 found by Inj3ct0r (http://securityvulns.com/news/Opera/1002.html). And some time ago I've checked this exploit and found that many other browsers are vulnerable to this attack.

These are Denial of Service vulnerabilities in Mozilla Firefox, Microsoft Internet Explorer and Opera. They belong to type (http://websecurity.com.ua/2550/) crashing DoS, blocking DoS and resources consumption DoS.

The exploit from Inj3ct0r is similar to the exploits, which I've made for Google Chrome (for my project "Day of bugs in Google Chrome") and Mozilla Firefox in 2008. Attack in my exploits was conducting via large amount of nested marquee tags, and in his case the html, marquee and h1 tags were used. But the essence is the same - large amount of nested tags (particularly marquee). That time I've informed Google and Mozilla and placed Bug 454434 (https://bugzilla.mozilla.org/show_bug.cgi?id=454434) in Bugzilla, but if Google had fixed the hole, Mozilla hadn't fixed this vulnerability.

-------------------------
Affected products:
-------------------------

Vulnerable are Mozilla Firefox 3.0.19, 3.5.11, 3.6.8, 4.0 beta 2, 11.0, Internet Explorer 6 (6.0.2900.2180), Internet Explorer 7 (7.00.5730.13), Internet Explorer 8 (8.00.6001.18702) and Opera 10.62, and previous versions of these browsers also must be vulnerable. Other browsers can be vulnerable as well.

----------
Details:
----------

DoS (WASC-10):

This is my version of the exploit for different browsers.

http://websecurity.com.ua/uploads/2012/Firefox,%20IE%20&%20Opera%20DoS%20Exploit.html

This exploit uses JS, but attack can be conducted and without JS - as it shown in my 2008's exploit (http://websecurity.com.ua/uploads/2008/Firefox%203%20DoS%20Exploit.html).

This exploit works in the following way:

* Mozilla Firefox 3.0.19 consumes resources (50% CPU and a lot of RAM) and crashes.
* Mozilla Firefox 3.5.11 consumes resources (50% CPU and a lot of RAM) and crashes.
* Mozilla Firefox 3.6.8 consumes resources (50% CPU and a lot of RAM) and crashes.
* Mozilla Firefox 4.0 beta 2 freezes and consumes resources (50% CPU and a lot of RAM).
* Mozilla Firefox 11.0 freezes and consumes resources (50% CPU and a lot of RAM).
* Internet Explorer 6 freezes and consumes resources (50% CPU and a lot of RAM).
* Internet Explorer 7 freezes and consumes resources (50% CPU and a lot of RAM).
* Internet Explorer 8 only consumes resources (50% CPU and a lot of RAM). I.e. in IE8 the problem was partly fixed by Microsoft.
* Opera 10.62 freezes and consumes resources (50% CPU and a lot of RAM).
* The exploit doesn't work in browser Google Chrome already since version 1.0.154.48. Google fixed vulnerability with marquee tag after my informing in 2008.

------------
Timeline:
------------ 

2012.04.23 - disclosed at my site (http://websecurity.com.ua/5808/).
2012.04.24 - reminded Mozilla that they still hadn't fixed 2008's hole.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux - Powered by OpenVZ