Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Firefox 0.92 DoS via TinyBMP
From: David Huecking <d.huecking () gmx net>
Date: Mon, 12 Jul 2004 19:14:02 +0200

Hmm, very funny modified BMPs?!
david () moria:~/tiny> wget -r http://www.4rman.com/exploits/tinybmp.htm
[...]
david () moria:~/tiny/www.4rman.com/exploits> ll
insgesamt 44
-rw-r--r--    1 david    users          58 2004-04-07 23:05 little.bmp
-rw-r--r--    1 david    users          58 2004-04-07 23:05 little10.bmp
-rw-r--r--    1 david    users          58 2004-04-07 23:04 little2.bmp
-rw-r--r--    1 david    users          58 2004-04-07 23:04 little3.bmp
-rw-r--r--    1 david    users          58 2004-04-07 23:04 little4.bmp
-rw-r--r--    1 david    users          58 2004-04-07 23:04 little5.bmp
-rw-r--r--    1 david    users          58 2004-04-07 23:05 little6.bmp
-rw-r--r--    1 david    users          58 2004-04-07 23:05 little7.bmp
-rw-r--r--    1 david    users          58 2004-04-07 23:05 little8.bmp
-rw-r--r--    1 david    users          58 2004-04-07 23:05 little9.bmp
-rw-r--r--    1 david    users         822 2004-04-07 23:05 tinybmp.htm
david () moria:~/tiny/www.4rman.com/exploits> file *
little.bmp:   PC bitmap data, Windows 3.x format, 1114111 x 202 x 24
little10.bmp: PC bitmap data, Windows 3.x format, 1114111 x 6 x 24
little2.bmp:  PC bitmap data, Windows 3.x format, 1114111 x 121 x 24
little3.bmp:  PC bitmap data, Windows 3.x format, 1114111 x 89 x 24
little4.bmp:  PC bitmap data, Windows 3.x format, 1114111 x 52 x 24
little5.bmp:  PC bitmap data, Windows 3.x format, 1114111 x 40 x 24
little6.bmp:  PC bitmap data, Windows 3.x format, 1114111 x 24 x 24
little7.bmp:  PC bitmap data, Windows 3.x format, 1114111 x 24 x 24
little8.bmp:  PC bitmap data, Windows 3.x format, 1114111 x 6 x 24
little9.bmp:  PC bitmap data, Windows 3.x format, 1114111 x 6 x 24
tinybmp.htm:  HTML document text

Pretty wide/ large Bitmaps in 24Bit color-depth.
OK, and now some mathematics: (only the full MBs)
1114111 * 202 * 3 Byte = 644 MB
1114111 * 6 * 3 Byte   =  19 MB
1114111 * 121 * 3 Byte = 385 MB
1114111 * 89 * 3 Byte  = 283 MB
1114111 * 52 * 3 Byte  = 165 MB
1114111 * 40 * 3 Byte  = 127 MB
1114111 * 24 * 3 Byte  =  76 MB
1114111 * 24 * 3 Byte  =  76 MB
1114111 * 6 * 3 Byte   =  19 MB
1114111 * 6 * 3 Byte   =  19 MB

All in all: 1812 MB. Should be enough to fill the one or other main memory...

Just for fun opened little10.bmp with gimp and saved it as tif:
david () moria:~/tiny/www.4rman.com/exploits> ll -h little10.*
-rw-r--r--    1 david    users          58 2004-04-07 23:05 little10.bmp
-rw-r--r--    1 david    users         20M 2004-07-12 19:12 little10.tif

So we see the true nature of this picture.


On Montag, 12. Juli 2004 13:23, thE_iNviNciblE wrote:
Hi,

there is a security vulnerability in Firebox 0.92 (latest Version)

http://www.4rman.com/exploits/tinybmp.htm

this link causes that your virutal memory will be rise up 1,2 GB used
Memory...

maybe Thunderbird 0.72 is also vulnerable via HTML.

credits to: StupidWhiteMan

-- 
Eat, sleep and go running,
David Huecking.

Encrypted eMail welcome! 
GnuPG/ PGP-Key: 0x57809216. Fingerprint: 
3DF2 CBE0 DFAA 4164 02C2  4E2A E005 8DF7 5780 9216

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault