lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200407121914.02506.d.huecking@gmx.net>
From: d.huecking at gmx.net (David Huecking)
Subject: Firefox 0.92 DoS  via TinyBMP

Hmm, very funny modified BMPs?!
david@...ia:~/tiny> wget -r http://www.4rman.com/exploits/tinybmp.htm
[...]
david@...ia:~/tiny/www.4rman.com/exploits> ll
insgesamt 44
-rw-r--r--    1 david    users          58 2004-04-07 23:05 little.bmp
-rw-r--r--    1 david    users          58 2004-04-07 23:05 little10.bmp
-rw-r--r--    1 david    users          58 2004-04-07 23:04 little2.bmp
-rw-r--r--    1 david    users          58 2004-04-07 23:04 little3.bmp
-rw-r--r--    1 david    users          58 2004-04-07 23:04 little4.bmp
-rw-r--r--    1 david    users          58 2004-04-07 23:04 little5.bmp
-rw-r--r--    1 david    users          58 2004-04-07 23:05 little6.bmp
-rw-r--r--    1 david    users          58 2004-04-07 23:05 little7.bmp
-rw-r--r--    1 david    users          58 2004-04-07 23:05 little8.bmp
-rw-r--r--    1 david    users          58 2004-04-07 23:05 little9.bmp
-rw-r--r--    1 david    users         822 2004-04-07 23:05 tinybmp.htm
david@...ia:~/tiny/www.4rman.com/exploits> file *
little.bmp:   PC bitmap data, Windows 3.x format, 1114111 x 202 x 24
little10.bmp: PC bitmap data, Windows 3.x format, 1114111 x 6 x 24
little2.bmp:  PC bitmap data, Windows 3.x format, 1114111 x 121 x 24
little3.bmp:  PC bitmap data, Windows 3.x format, 1114111 x 89 x 24
little4.bmp:  PC bitmap data, Windows 3.x format, 1114111 x 52 x 24
little5.bmp:  PC bitmap data, Windows 3.x format, 1114111 x 40 x 24
little6.bmp:  PC bitmap data, Windows 3.x format, 1114111 x 24 x 24
little7.bmp:  PC bitmap data, Windows 3.x format, 1114111 x 24 x 24
little8.bmp:  PC bitmap data, Windows 3.x format, 1114111 x 6 x 24
little9.bmp:  PC bitmap data, Windows 3.x format, 1114111 x 6 x 24
tinybmp.htm:  HTML document text

Pretty wide/ large Bitmaps in 24Bit color-depth.
OK, and now some mathematics: (only the full MBs)
1114111 * 202 * 3 Byte = 644 MB
1114111 * 6 * 3 Byte   =  19 MB
1114111 * 121 * 3 Byte = 385 MB
1114111 * 89 * 3 Byte  = 283 MB
1114111 * 52 * 3 Byte  = 165 MB
1114111 * 40 * 3 Byte  = 127 MB
1114111 * 24 * 3 Byte  =  76 MB
1114111 * 24 * 3 Byte  =  76 MB
1114111 * 6 * 3 Byte   =  19 MB
1114111 * 6 * 3 Byte   =  19 MB

All in all: 1812 MB. Should be enough to fill the one or other main memory...

Just for fun opened little10.bmp with gimp and saved it as tif:
david@...ia:~/tiny/www.4rman.com/exploits> ll -h little10.*
-rw-r--r--    1 david    users          58 2004-04-07 23:05 little10.bmp
-rw-r--r--    1 david    users         20M 2004-07-12 19:12 little10.tif

So we see the true nature of this picture.


On Montag, 12. Juli 2004 13:23, thE_iNviNciblE wrote:
> Hi,
>
> there is a security vulnerability in Firebox 0.92 (latest Version)
>
> http://www.4rman.com/exploits/tinybmp.htm
>
> this link causes that your virutal memory will be rise up 1,2 GB used
> Memory...
>
> maybe Thunderbird 0.72 is also vulnerable via HTML.
>
> credits to: StupidWhiteMan

-- 
Eat, sleep and go running,
David Huecking.

Encrypted eMail welcome! 
GnuPG/ PGP-Key: 0x57809216. Fingerprint: 
3DF2 CBE0 DFAA 4164 02C2  4E2A E005 8DF7 5780 9216


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ