[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <425AE597.9020900@gmail.com>
Date: Mon, 11 Apr 2005 17:01:11 -0400
From: Andrew <gluttony@...il.com>
To: bugtraq@...urityfocus.com
Subject: Microsoft Windows image rendering DoS vuln
Alpha-Pi-Omicron Pi-Alpha-Nu-Tau-Omicron-C?
Kappa-Alpha-Kappa-Omicron-Delta-Alpha-Iota-Mu-Omicron-Nu-Omicron-C?
__ ___ __ _____ _ _
___ _ _
/ / /___\/ // _ / /\ /(_) __ _| |__ / __\___ _ _ _ __
___(_) |
/ / // // / \// / / /_/ / |/ _` | '_ \ / / / _ \| | | | '_ \ /
__| | |
/ /___/ \_// /___/ //\ / __ /| | (_| | | | | / /__| (_) | |_| | | | |
(__| | |
\____/\___/\____/____/ \/ /_/ |_|\__, |_| |_| \____/\___/ \__,_|_|
|_|\___|_|_|
|___/
Overview
There exists a vulnerabilility in the way Microsoft Windows handles the
rendering
of images. By resizing an image with html properties to an extremely
large size an
attacker may perform a very quick and effective denial of service attack
upon a
victim.
I. Description and PoC
Only clients running Internet Explorer, Firefox, or Avant in Windows 2k
or XP have
been confirmed to be vulnerable. Opera does it's own image rendering and
is not
ulnerable to this method of attack. The status of Longhorn is not known.
Other
operating systems, including Mac OS X and Linux are not vulnerable.
You may point your browser to this URL to see a live demonstration of
this attack:
http://www.livejournal.com/users/deeplolz
This may cause an instant reboot or bluescreen detailing a problem with
your video
drivers. Other possibilities include an extended period of poor
performance until
next reboot, a short to medium period of nonfunctionality or a crash of the
browser.
II. Impact
Because this attack can be performed anywhere an img src is allowed,
there are
many forums including blogs, messageboards, and others which are
vulnerable. It
is hopeful that Microsoft will release a patch for this attack as soon as
possible.
III. Solution
Until a patch is released you are advised to use the Opera web browser.
It might
also be possible to write a script for the Firefox "GreaseMonkey"
extension which
performs a workaround for this attack. Such as setting height and width
of images
to 5000 pixels if they are currently set to render at over 5000.
Very special shouts: Girlvinyl, Hepkitten, Confkids, and Frienditto
(Come back!!!
We need you badly, FD!)
Shouts:
LJD, LJ-Zeera, Encyclopedia Dramatica, Lulz News Network, Project
Mayhem, Amalea,
Wednesday Night Karate Explosion, The Gundanium Alloys Manufacturers
Association,
Richmond Flash Mob Society, RVA_BS, RVA_FYAD, Brad Fitzpatrick, Mena
Trott, SALJ,
The International Department of Internet Security, #telconinjas,
undernet #drugs,
The Kadaitcha Dancers, psychotic vegans, Warren Ellis, and pro-ana
preteen girls.
Powered by blists - more mailing lists