[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTikn-JExL30gDb6wYmoSlD50LRxfvG6gfyhRON4l@mail.gmail.com>
Date: Mon, 31 May 2010 14:41:52 +0200
From: "Jan G.B." <ro0ot.w00t@...glemail.com>
To: MustDie <mustdieplease@...il.com>
Cc: full-disclosure@...ts.grok.org.uk, MustLive <mustlive@...security.com.ua>
Subject: Re: DoS vulnerabilities in Firefox,
Internet Explorer, Chrome and Opera
2010/5/28 MustDie <mustdieplease@...il.com>:
> On Fri, 28 May 2010 16:02:50 +0300
> "MustLive" <mustlive@...security.com.ua> wrote:
>
>> Hello Full-Disclosure!
>>
>> I want to warn you about security vulnerabilities in different browsers.
>>
>> -----------------------------
>> Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and
>> Opera
>> -----------------------------
>> URL: http://websecurity.com.ua/4238/
>> -----------------------------
>> Affected products: Mozilla Firefox, Internet Explorer 6, Internet Explorer
>> 8, Google Chrome, Opera.
>> -----------------------------
>> Timeline:
>>
>> 26.05.2010 - found vulnerabilities.
>> 26.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
>> 27.05.2010 - disclosed at my site.
>> -----------------------------
>> Details:
>>
>> After publication of previous vulnerabilities in different browsers, I
>> continued my researches and found many new vulnerabilities in browsers,
>> which I called by general name DoS via protocol handlers, to which belonged
>> and previous DoS attack via mailto handler.
>>
>> Now I'm informing about DoS in different browsers via protocols news and
>> nntp. These Denial of Service vulnerabilities belongs to type
>> (http://websecurity.com.ua/2550/) blocking DoS and resources consumption
>> DoS. These attacks can be conducted as with using JS, as without it (via
>> creating of page with large quantity of iframes).
>>
>> DoS:
>>
>> http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit2.html
>>
>> This exploit for news protocol works in Mozilla Firefox 3.0.19 (and besides
>> previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6
>> (6.0.2900.2180), Internet Explorer 8 (8.0.7600.16385), Google Chrome
>> 1.0.154.48 and Opera 9.52.
>>
>> In all mentioned browsers occurs blocking and overloading of the system from
>> starting of Opera, which appeared as news-client at my computer, and IE8
>> crashes (at computer without Opera). And in Opera the attack is going
>> without blocking, only resources consumption (more slowly then in other
>> browsers).
>>
>> http://websecurity.com.ua/uploads/2010/Firefox,%20IE%20&%20Opera%20DoS%20Exploit.html
>>
>> This exploit for nntp protocol works in Mozilla Firefox 3.0.19 (and besides
>> previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6
>> (6.0.2900.2180) and Opera 9.52.
>>
>> In all mentioned browsers occurs blocking and overloading of the system from
>> starting of Opera, which appeared as nntp-client at my computer. In IE8 the
>> attack didn't work - possibly because that at that computer there was no
>> nntp-client, Opera in particular. And in Opera the attack is going without
>> blocking, only resources consumption (more slowly then in other browsers).
>>
>> Best wishes & regards,
>> MustLive
>> Administrator of Websecurity web site
>> http://websecurity.com.ua
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
> Hi,
> So, basically, this new vulnerability lies on spawning an infinite/huge amount of News Reader processes, right ?
> Tested (both provided POC links) on Firefox 3.5.8, ended up with unlimited pop-ups from Firefox whining about having no news reader setup - no load generated, at all.
> I hope the Firefox and Opera are taking action as this is a major security threat to any IT System.
>
> By the way, I found a similar vunlerability in bash 4.5.1, but this must impact other shells as well !
> Here you go:
>
> ======= NEW UNIVERSAL SHELL EXPLOIT =======
> Discovered by MustDie <mustdie@...tdie.com> http://www.mustdie.com
> See http://www.mustdie.com for more infos !
>
> Proof of concept script :
> -------[ BEGINNING OF FILE: 1337hax.sh ]---------
> #!/bin/bash
> #Hardcore vunl in bash, should impact other shells as well !
> #By MustDie <mustdie@...tdie.com>
> #Don't forget to check out http://www.mustdie.com
> #Inspired by MustDie's "researches"
> while :; do
> echo "SCALE=1000000000; 4*a(1)" | bc -l&
> echo "0wn3d by 1337 r3s34|2ch3|2"
> done
> #Check out http://www.mustdie.com
> -------[ END OF FILE: 1337hax.sh ]---------
>
> This should bring any system down to its knees !
> This is definitely a critical vulnerability in Bash.
> One cannot assume that telling bash to compute the first 1000000000 decimals of Pi in an infinite forking loop would result in such a thing - that's weird, unexpected behavior.
> a CVE ID was requested for this issue.
>
> -- MustDie
> Senior Lead Expert Security Researcher
Hi 1337 r3s34|2ch3|2,
Yeah, you're right! Bash should analyse the bash script, given
parameters to programs and alike and then change the amount to a
reasonable value of 100000000 decimals.
Btw - have you yet alerted the world of fork bombs, at all?! We're
waiting in awe.
Regards
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists