lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040713050921.27251.qmail@web10707.mail.yahoo.com>
From: jhaunsystem at yahoo.com (jhaunsystem)
Subject: Firefox 0.92 DoS  via TinyBMP

 I tested it out on 2 platforms.  On Mozilla 1.7 &&
win2k I get the same results as your description. 
However on Freebsd_4.10 && Mozilla 1.7, Mozilla just
crashes with little or no tax on the system.


> -----Original Message-----
> From: full-disclosure-admin@...ts.netsys.com
> [mailto:full-disclosure-admin@...ts.netsys.com] On
> Behalf Of st3ng4h
> Sent: Tuesday, July 13, 2004 2:23 AM
> To: Ali Campbell
> Cc: full-disclosure@...ts.netsys.com;
> the_invincible@....de
> Subject: Re: [Full-Disclosure] Firefox 0.92 DoS via
> TinyBMP
> 
> On Mon, Jul 12, 2004 at 10:12:40PM +0100, Ali
> Campbell wrote:
> > I agree when you say that it's probably a flaw in
> the BMP lib 
> > implementation. But as I've pointed out once
> already, Windows isn't 
> > the only afflicted platform:
> [snip]
> 
> You're correct, and I'm glad you did point this out,
> because it may
> potentially affect many such implementations.
> 
> The April bugtraq advisory that I provided URL for
> earlier (and again [1])
> says:
> 
> "When a BMP file loaded into the Internet Explorer
> (for exmaple 'IMG' tag)
> the internet explorer check the BMP image size
> written in BMP file, and then
> allocate the necessary memory to itself for placing
> bmp image into the
> memory."
> 
> Also see MSDN's explanation of bitmap file structure
> [2] for more details.
> 
> AFAICT, any program/library that allocates bfSize
> (in
> BITMAPFILEHEADER) bytes of memory, without verifying
> that this resembles the
> actual size of the bitmap file, will likely suffer
> from this problem in some
> form or another. 
> 
> Why this was not figured out in the original
> advisory or this one is beyond
> me; I have approximately zero experience as a
> bug-hunter and am mostly
> ignorant to Windows internals.
> 
> What's more annoying is that the OP apparently just
> ripped off the PoC from
> the original (incorrect) IE advisory, did not credit
> the finder, and
> published it as a Firefox vulnerability.
> 
> st3ng4h
> 
> [1] http://www.securityfocus.com/archive/1/360166
> 
> [2]
>
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gdi/bitmaps
> _62uq.asp
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.netsys.com/full-disclosure-charter.html
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter:
> http://lists.netsys.com/full-disclosure-charter.html
> 



		
__________________________________
Do you Yahoo!?
Yahoo! Mail Address AutoComplete - You start. We finish.
http://promotions.yahoo.com/new_mail 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ