lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <007b01cb1aed$21cdd520$010000c0@ml>
Date: Sat, 3 Jul 2010 23:19:34 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <full-disclosure@...ts.grok.org.uk>
Subject: File Download and DoS vulnerabilities in Firefox,
	Internet Explorer, Chrome and Opera

Hello Full-Disclosure!

I want to warn you about File Download and Denial of Service vulnerabilities
in Mozilla Firefox, Internet Explorer, Google Chrome and Opera. Earlier I
already wrote about DoS vulnerabilities in different browsers via different
protocol handlers. And now I'll tell about research concerned with attacks
via protocols http and ftp which I made already in 2008 and published at
30.06.2010.

-----------------------------
Advisory: File Download and DoS vulnerabilities in Firefox, Internet
Explorer, Chrome and Opera
-----------------------------
URL: http://websecurity.com.ua/4334/
-----------------------------
Affected products: Mozilla Firefox, Internet Explorer 6, Google Chrome,
Opera. Other browsers can be vulnerable as well.
-----------------------------
Details:

On 18th of September 2008 I found File Download and Denial of Service
vulnerabilities in Firefox, Internet Explorer, Chrome and Opera. This
research I begun after I found in September multiple Automatic File
Download vulnerabilities in Google Chrome, which I wrote in details in the
article Automatic File Download vulnerabilities in browsers
(http://websecurity.com.ua/2438/).

Goal of this research was to create a method of conducting File Download
attacks in different browsers (and DoS attacks via SaveAs functionality).
Which I called SaveAs attack.

And even this attack (file saving) is not going automatically (as it took
place in first versions of Chrome - in more new versions of its browser
Google fixed this vulnerability, after my warnings, and browser asks before
downloading files), but due to persistent showing of the window for file
saving, the user can accidentally press at "Save" and save file. Unlike
Automatic File Download in Chrome, this attack is working in different
browsers (including in new versions of Chrome).

So this method can be used for forced file saving at users' computer. And
also this method can be used for conducting of DoS attacks (via creating of
multiple windows for saving of files). File Download attack can lead to Code
Execution, if user will later open file (malicious), which was saved by him.

These File Download and DoS attacks are conducted via protocols http and
ftp. I set in exploits the files at servers of Google (for http) and
Microsoft (for ftp) - these companies have more server capacities for this
task.

Denial of Service vulnerabilities belong to type
(http://websecurity.com.ua/2550/) blocking DoS and resources consumption
DoS. These two attacks can be conducted as with using JS, as without it (via
creating of a page with large quantity of iframes and in Chrome it's also
possible to use frames).

File Download and DoS:

http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit6.html
(http protocol)

http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit7.html
(ftp protocol)

Both exploits work in Mozilla Firefox 3.0.19 (and besides previous versions,
it must work in 3.5.x and 3.6.x), Internet Explorer 6 (6.0.2900.2180),
Google Chrome 1.0.154.48 and Opera 9.52.

In browsers Firefox, IE6 and Opera occur blocking and overloading of the
system (and Firefox 3.0.1 was crashing). In Chrome occurs
blocking of the browser. But both exploits don't work in IE8.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ