lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200407130427.i6D4Rqu17573@netsys.com>
From: sapheriel at wwwp.de (Sapheriel)
Subject: Firefox 0.92 DoS  via TinyBMP

what baffles me is how easily this problem could be countered. a simple
check of bfsize versus filesize(-header and such) would suffice. i suppose
you could implement a proximity algorithm to make the format more robust so
it doesn't break at the tinyest corruption. 

-----Original Message-----
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of st3ng4h
Sent: Tuesday, July 13, 2004 2:23 AM
To: Ali Campbell
Cc: full-disclosure@...ts.netsys.com; the_invincible@....de
Subject: Re: [Full-Disclosure] Firefox 0.92 DoS via TinyBMP

On Mon, Jul 12, 2004 at 10:12:40PM +0100, Ali Campbell wrote:
> I agree when you say that it's probably a flaw in the BMP lib 
> implementation. But as I've pointed out once already, Windows isn't 
> the only afflicted platform:
[snip]

You're correct, and I'm glad you did point this out, because it may
potentially affect many such implementations.

The April bugtraq advisory that I provided URL for earlier (and again [1])
says:

"When a BMP file loaded into the Internet Explorer (for exmaple 'IMG' tag)
the internet explorer check the BMP image size written in BMP file, and then
allocate the necessary memory to itself for placing bmp image into the
memory."

Also see MSDN's explanation of bitmap file structure [2] for more details.

AFAICT, any program/library that allocates bfSize (in
BITMAPFILEHEADER) bytes of memory, without verifying that this resembles the
actual size of the bitmap file, will likely suffer from this problem in some
form or another. 

Why this was not figured out in the original advisory or this one is beyond
me; I have approximately zero experience as a bug-hunter and am mostly
ignorant to Windows internals.

What's more annoying is that the OP apparently just ripped off the PoC from
the original (incorrect) IE advisory, did not credit the finder, and
published it as a Firefox vulnerability.

st3ng4h

[1] http://www.securityfocus.com/archive/1/360166

[2]
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gdi/bitmaps
_62uq.asp

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ