lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 17 Jul 2009 23:56:38 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <bugtraq@...urityfocus.com>, <Thierry@...ler.lu>
Subject: Re: [GSEC-TZO-44-2009] One bug to rule them all - Firefox, IE, Safari,Opera, Chrome,Seamonkey,iPhone,iPod,Wii,PS3....

Hello Thierry!

About your "bug to rule them all" I can tell, that it's interesting
vulnerability and interesting research itself. I have found DoS
vulnerabilities in multiple browsers many time, but I never tested in such
many browsers and systems. So you made a large research (with help of those
people who helped you with testing in different systems) - this DoS hole
exists (or existed) in so many systems: different desktop browsers, email
clients, browsers for mobile devices, game devices and possible other
devices with support of JavaScript.

Maybe some of DoS hole found by me can also work on multiple platforms, but
I didn't tested in such large scale of devices (just in different browsers
at my PC).

> Credit      : Except Apple - nobody

It's very common situation (with not serious relation of developers to
security professionals who found holes in their programs). Especially in
case of DoS vulnerabilities.

> IV. Disclosure timeline
> ~~~~~~~~~~~~~~~~~~~~~~~~~
> Nothing particular to note, except the usual discussion about availability
> being a security issue.

It is also very common for developers (browsers developers in particular) to
not put DoS in category of security issues (even if they officially said
that they acknowledge DoS as security issue). So nothing surprising :-) - I
heard many times such statements from browsers developers.

Thierry, I even planned to write here a large message on this subject (which
I planned in the beginning of this year), but I canceled it due lack of time
:-). In a short: the developers are not right and DoS is a security issue.

I tested your vulnerability (your PoC) in all my browsers: Mozilla, Firefox,
IE, Opera and Chrome. Here are results of my tests, which will be additional
stroke to your picture of vulnerable browsers and systems.

Mozilla 1.7.x is not vulnerable. And this is a reason why I like Mozilla
1.7.x, because it hasn't many of the holes which Mozilla added to new
versions of their Firefox ;-). You wrote that Firefox allocates 2 GB of
memory and then crashes. My Mozilla only allocates about 900 MB of memory
and then stops this process (and stops using of CPU). So it was just small
lag, without particular strain, so it's not vulnerable.

Firefox 3.0.11 is not vulnerable (because was fixed in Firefox 3.0.5).

IE6 is vulnerable. But my IE6 is vulnerable in different way then other
browsers. You wrote that IE5,6,7,8 allocates 2 GB of memory and then
crashes. In my case, browser only take CPU resources (over 50% at my two
core processor, it'll be 100% on single core processor) without taking of
memory.

Opera 9.52 is vulnerable (because was fixed in version after Opera 9.64).
You wrote that Opera allocated and commits as much memory as available and
will not crash. In my case Opera takes more that 2 GB (almost all memory
available) and then freezes.

Google Chrome 1.0.154.48 is not vulnerable. You wrote that Chrome allocates
2 GB of memory and then crashes tab with a null pointer. In my case Chrome
takes more than 2 GB of memory and then says its message about error at the
page and frees all the memory. So in result almost no memory or CPU
resources are used by the browser. You wrote that Chrome was patched
(unknown version). As we see at least version Chrome 1.0.154.48 is not
vulnerable.

There is also one interesting thing.

You mentioned bug #460713 in Mozilla's bugzilla. When yesterday I came via
this link I found that this entry is closed for viewing (even for logged in
users). So for some unknown reasons Mozilla closed access to bug #460713
(https://bugzilla.mozilla.org/show_bug.cgi?id=460713), even if it's
resolved. As you wrote, this hole was fixed in Firefox 3.0.5. This version
was released at 16th of December 2008, so from that time and till now
Mozilla didn't open this bug. Why they did it? Do they have something to
hide from people :-).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


!DSPAM:4a60eeae164971070416737!

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ