[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera
From: MustDie <mustdieplease@xxxxxxxxx>
Date: Fri, 28 May 2010 17:07:11 +0200

On Fri, 28 May 2010 16:02:50 +0300
"MustLive" <mustlive@xxxxxxxxxxxxxxxxxx> wrote:

> Hello Full-Disclosure!
> 
> I want to warn you about security vulnerabilities in different browsers.
> 
> -----------------------------
> Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and
> Opera
> -----------------------------
> URL: http://websecurity.com.ua/4238/
> -----------------------------
> Affected products: Mozilla Firefox, Internet Explorer 6, Internet Explorer
> 8, Google Chrome, Opera.
> -----------------------------
> Timeline:
> 
> 26.05.2010 - found vulnerabilities.
> 26.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
> 27.05.2010 - disclosed at my site.
> -----------------------------
> Details:
> 
> After publication of previous vulnerabilities in different browsers, I
> continued my researches and found many new vulnerabilities in browsers,
> which I called by general name DoS via protocol handlers, to which belonged
> and previous DoS attack via mailto handler.
> 
> Now I'm informing about DoS in different browsers via protocols news and
> nntp. These Denial of Service vulnerabilities belongs to type
> (http://websecurity.com.ua/2550/) blocking DoS and resources consumption
> DoS. These attacks can be conducted as with using JS, as without it (via
> creating of page with large quantity of iframes).
> 
> DoS:
> 
> http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit2.html
> 
> This exploit for news protocol works in Mozilla Firefox 3.0.19 (and besides
> previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6
> (6.0.2900.2180), Internet Explorer 8 (8.0.7600.16385), Google Chrome
> 1.0.154.48 and Opera 9.52.
> 
> In all mentioned browsers occurs blocking and overloading of the system from
> starting of Opera, which appeared as news-client at my computer, and IE8
> crashes (at computer without Opera). And in Opera the attack is going
> without blocking, only resources consumption (more slowly then in other
> browsers).
> 
> http://websecurity.com.ua/uploads/2010/Firefox,%20IE%20&%20Opera%20DoS%20Exploit.html
> 
> This exploit for nntp protocol works in Mozilla Firefox 3.0.19 (and besides
> previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6
> (6.0.2900.2180) and Opera 9.52.
> 
> In all mentioned browsers occurs blocking and overloading of the system from
> starting of Opera, which appeared as nntp-client at my computer. In IE8 the
> attack didn't work - possibly because that at that computer there was no
> nntp-client, Opera in particular. And in Opera the attack is going without
> blocking, only resources consumption (more slowly then in other browsers).
> 
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

Hi,
So, basically, this new vulnerability lies on spawning an infinite/huge amount 
of News Reader processes, right ?
Tested (both provided POC links) on Firefox 3.5.8, ended up with unlimited 
pop-ups from Firefox whining about having no news reader setup - no load 
generated, at all.
I hope the Firefox and Opera are taking action as this is a major security 
threat to any IT System.

By the way, I found a similar vunlerability in bash 4.5.1, but this must impact 
other shells as well !
Here you go:

======= NEW UNIVERSAL SHELL EXPLOIT =======
Discovered by MustDie <mustdie@xxxxxxxxxxx> http://www.mustdie.com
See http://www.mustdie.com for more infos !

Proof of concept script :
-------[ BEGINNING OF FILE: 1337hax.sh ]---------
#!/bin/bash
#Hardcore vunl in bash, should impact other shells as well !
#By MustDie <mustdie@xxxxxxxxxxx>
#Don't forget to check out http://www.mustdie.com
#Inspired by MustDie's "researches"
while :; do
        echo "SCALE=1000000000; 4*a(1)" | bc -l&
        echo "0wn3d by 1337 r3s34|2ch3|2"
done
#Check out http://www.mustdie.com
-------[ END OF FILE: 1337hax.sh ]---------

This should bring any system down to its knees !
This is definitely a critical vulnerability in Bash.
One cannot assume that telling bash to compute the first 1000000000 decimals of 
Pi in an infinite forking loop would result in such a thing - that's weird, 
unexpected behavior.
a CVE ID was requested for this issue.

-- MustDie
Senior Lead Expert Security Researcher @ http://www.mustdie.com
Check out http://www.mustdie.com !
More infos on http://www.mustdie.com !

 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera
  - From: Jan G.B.

References:
- [Full-disclosure] DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera
  - From: MustLive

Prev by Date: Re: [Full-disclosure] Websense Enterprise 6.3.3 Policy Bypass
Next by Date: Re: [Full-disclosure] To the police who torment, harass and stalk me.
Previous by thread: [Full-disclosure] DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera
Next by thread: Re: [Full-disclosure] DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera
Index(es):
- Date
- Thread