lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 21 Apr 2005 13:58:42 -0700 (PDT)
From: Randy <rho@...net.edu>
To: patrick <mccpat@...il.com>
Cc: jesse@...terpm.net, bugtraq@...urityfocus.com
Subject: Re: Microsoft Windows image rendering DoS vuln


I just tested it out on Windows XP sp2, firefox 1.0.3 and IE6

No crash...

-Randy

On Thu, 21 Apr 2005, patrick wrote:

> Ok everyone, someone sent me a copy of the site which was the link that
> was originally sent with the vulnerability. Looking closer, it seems
> that it may not be that the extremely large height and width properties
> of the image in a site is what is causing the crash. However, I have not
> had time to test it out, I will in a little bit, I need to finish a few
> things.
>
> Here is the full page source (it's in the attachment). This is what I
> was talking about though. Notice this in the page source:
>
> <code>
> <!--
> // Cache-busting LUBID bug.
> var ran = Math.round(Math.random() * 899999) + 100000;
> var lubid_string = "<img
> src=\"http://hb.lycos.com/header?VID=6105&LHIG=1&ord=" + ran + "\"
> height=\"1\" width=\"1\">";
> document.write(lubid_string);
> //-->
> </script>
> </code>
>
> The site also has this:
>
> <code>
>
> <img src="http://home.comcast.net/~squaresoft0/internet.jpg" height="9999999" width=
> "9999999"><br /><img src="http://home.comcast.net/~squaresoft0/internet.jpg" height="
> 9999999" width="9999999">
>
> </code>
>
> Now, I will try setting up a site with just that code, and then a site
> with both, and see what happens.
>
> I only briefly looked at the page source, so there may be more. Tell me
> what you guys find.
>
> Jesse Morgan wrote:
>
>> Yes, it was SP2. My values were at 50000000 or something similar. I also
>> created a 50000x50000 gif and tried that, still no luck.
>> Unfortunately I didn't get my hands on the code.
>> Also a friend's system rebooted after a bsod (he has an ATI video card
>> and I have on-board video on a laptop)
>>
>> patrick wrote:
>>
>>> Hmm, don't think so, though, you said it crashed your computer... was it
>>> XP SP2? It sounds like it later in your email but I'm not sure... it's
>>> quite interesting. Possibly his site had a different code than the one
>>> you and I set up? He didn't go into much detail about the code except
>>> that the "height" and "width" properties should be an enourmous amount.
>>> Did you by any chance get the page source or no?
>>
>>> Jesse Morgan wrote:
>>
>>
>>>> His site was up when I got the email and it did crash my computer.
>>>> Livejorunal locked his account a few hours later.
>>>> I too tried creating the exploit myself a few days later (windows xp
>>>> sp2) and it failed to work. Maybe Microsoft somehow got a patch
>>>> installed without us knowing?
>>>>
>>>> patrick wrote:
>>>>
>>>>
>>>>> Andrew wrote:
>>>>
>>>>
>>>>>>               Alpha-Pi-Omicron Pi-Alpha-Nu-Tau-Omicron-C?
>>>>>>  Kappa-Alpha-Kappa-Omicron-Delta-Alpha-Iota-Mu-Omicron-Nu-Omicron-C?
>>>>>> __    ___  __ _____         _       _
>>>>>> ___                       _ _
>>>>>> / /   /___\/ // _  /   /\  /(_) __ _| |__     / __\___  _   _ _ __
>>>>>> ___(_) |
>>>>>> / /   //  // / \// /   / /_/ / |/ _` | '_ \   / /  / _ \| | | | '_ \ /
>>>>>> __| | |
>>>>>> / /___/ \_// /___/ //\ / __  /| | (_| | | | | / /__| (_) | |_| | | | |
>>>>>> (__| | |
>>>>>> \____/\___/\____/____/ \/ /_/ |_|\__, |_| |_| \____/\___/ \__,_|_|
>>>>>> |_|\___|_|_|
>>>>>>
>>>>>> |___/
>>>>>> Overview
>>>>>>
>>>>>> There exists a vulnerabilility in the way Microsoft Windows handles
>>>>>> the rendering
>>>>>> of images. By resizing an image with html properties to an extremely
>>>>>> large size an
>>>>>> attacker may perform a very quick and effective denial of service
>>>>>> attack upon a
>>>>>> victim.
>>>>>>
>>>>>>
>>>>>> I. Description and PoC
>>>>>>
>>>>>> Only clients running Internet Explorer, Firefox, or Avant in Windows
>>>>>> 2k or XP have
>>>>>> been confirmed to be vulnerable. Opera does it's own image rendering
>>>>>> and is not
>>>>>> ulnerable to this method of attack. The status of Longhorn is not
>>>>>> known. Other
>>>>>> operating systems, including Mac OS X and Linux are not vulnerable.
>>>>>>
>>>>>> You may point your browser to this URL to see a live demonstration of
>>>>>> this attack:
>>>>>>
>>>>>> http://www.livejournal.com/users/deeplolz
>>>>>>
>>>>>> This may cause an instant reboot or bluescreen detailing a problem
>>>>>> with your video
>>>>>> drivers. Other possibilities include an extended period of poor
>>>>>> performance until
>>>>>> next reboot, a short to medium period of nonfunctionality or a crash
>>>>>> of the
>>>>>> browser.
>>>>>>
>>>>>>
>>>>>> II. Impact
>>>>>>
>>>>>> Because this attack can be performed anywhere an img src is allowed,
>>>>>> there are
>>>>>> many forums including blogs, messageboards, and others which are
>>>>>> vulnerable. It
>>>>>> is hopeful that Microsoft will release a patch for this attack as
>>>>
>>>> soon as
>>>>
>>>>>> possible.
>>>>>>
>>>>>>
>>>>>> III. Solution
>>>>>>
>>>>>> Until a patch is released you are advised to use the Opera web
>>>>>> browser. It might
>>>>>> also be possible to write a script for the Firefox "GreaseMonkey"
>>>>>> extension which
>>>>>> performs a workaround for this attack. Such as setting height and
>>>>>> width of images
>>>>>> to 5000 pixels if they are currently set to render at over 5000.
>>>>>>
>>>>>>
>>>>>> Very special shouts: Girlvinyl, Hepkitten, Confkids, and Frienditto
>>>>>> (Come back!!!
>>>>>> We need you badly, FD!)
>>>>>>
>>>>>> Shouts:
>>>>>> LJD, LJ-Zeera, Encyclopedia Dramatica, Lulz News Network, Project
>>>>>> Mayhem, Amalea,
>>>>>> Wednesday Night Karate Explosion, The Gundanium Alloys Manufacturers
>>>>>> Association,
>>>>>> Richmond Flash Mob Society, RVA_BS, RVA_FYAD, Brad Fitzpatrick, Mena
>>>>>> Trott, SALJ,
>>>>>> The International Department of Internet Security, #telconinjas,
>>>>>> undernet #drugs,
>>>>>> The Kadaitcha Dancers, psychotic vegans, Warren Ellis, and pro-ana
>>>>>> preteen girls.
>>>>>>
>>>>> Hmm, a few things.
>>>>
>>>>> 1) That site is down. Has been down ever since I got this email.
>>>>> 2) I created a site with this HTML code:
>>>>
>>>>> /././././././././././././
>>>>
>>>>> <html>
>>>>> <body>
>>>>> <p>If you are using IE, YOU SUCK! Just kidding.<br>
>>>>> If you're in Window$ though, this should crash your puter<br>
>>>>> or give you a BSOD. HAVE FUN BUDDY! MUA HA HA!</p>
>>>>
>>>>> <img src="http://thepcelement.com/hardware/neowinscreenie.jpg"
>>>>> height="9999999999999999999999999999999999999999999999999991"
>>>>> width="999999999999999999999999999999999999999999999999999999999999999991">
>>>>
>>>>> </body>
>>>>> </html>
>>>>
>>>>> /./././././././././././
>>>>
>>>>> Yet no crash, this was on my Dad's PC running Window$ XP, no SP2,
>>>>> Firefox and Internet Exploder, the image was all white, no slowdown or
>>>>> anything.
>>>>
>>>>> Can you tell me what I'm doing wrong and give me the source to that
>> page
>>>>> you had up as a live demonstration? I'm interested to see more about
>>>>> this vulnerability.
>>>>
>>>>> Thanks for posting, have a nice day,
>>
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ