Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera
From: MustDie <mustdieplease () gmail com>
Date: Fri, 28 May 2010 17:07:11 +0200

On Fri, 28 May 2010 16:02:50 +0300
"MustLive" <mustlive () websecurity com ua> wrote:

Hello Full-Disclosure!

I want to warn you about security vulnerabilities in different browsers.

-----------------------------
Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and
Opera
-----------------------------
URL: http://websecurity.com.ua/4238/
-----------------------------
Affected products: Mozilla Firefox, Internet Explorer 6, Internet Explorer
8, Google Chrome, Opera.
-----------------------------
Timeline:

26.05.2010 - found vulnerabilities.
26.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
27.05.2010 - disclosed at my site.
-----------------------------
Details:

After publication of previous vulnerabilities in different browsers, I
continued my researches and found many new vulnerabilities in browsers,
which I called by general name DoS via protocol handlers, to which belonged
and previous DoS attack via mailto handler.

Now I'm informing about DoS in different browsers via protocols news and
nntp. These Denial of Service vulnerabilities belongs to type
(http://websecurity.com.ua/2550/) blocking DoS and resources consumption
DoS. These attacks can be conducted as with using JS, as without it (via
creating of page with large quantity of iframes).

DoS:

http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit2.html

This exploit for news protocol works in Mozilla Firefox 3.0.19 (and besides
previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6
(6.0.2900.2180), Internet Explorer 8 (8.0.7600.16385), Google Chrome
1.0.154.48 and Opera 9.52.

In all mentioned browsers occurs blocking and overloading of the system from
starting of Opera, which appeared as news-client at my computer, and IE8
crashes (at computer without Opera). And in Opera the attack is going
without blocking, only resources consumption (more slowly then in other
browsers).

http://websecurity.com.ua/uploads/2010/Firefox,%20IE%20&%20Opera%20DoS%20Exploit.html

This exploit for nntp protocol works in Mozilla Firefox 3.0.19 (and besides
previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6
(6.0.2900.2180) and Opera 9.52.

In all mentioned browsers occurs blocking and overloading of the system from
starting of Opera, which appeared as nntp-client at my computer. In IE8 the
attack didn't work - possibly because that at that computer there was no
nntp-client, Opera in particular. And in Opera the attack is going without
blocking, only resources consumption (more slowly then in other browsers).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Hi,
So, basically, this new vulnerability lies on spawning an infinite/huge amount of News Reader processes, right ?
Tested (both provided POC links) on Firefox 3.5.8, ended up with unlimited pop-ups from Firefox whining about having no 
news reader setup - no load generated, at all.
I hope the Firefox and Opera are taking action as this is a major security threat to any IT System.

By the way, I found a similar vunlerability in bash 4.5.1, but this must impact other shells as well !
Here you go:

======= NEW UNIVERSAL SHELL EXPLOIT =======
Discovered by MustDie <mustdie () mustdie com> http://www.mustdie.com
See http://www.mustdie.com for more infos !

Proof of concept script :
-------[ BEGINNING OF FILE: 1337hax.sh ]---------
#!/bin/bash
#Hardcore vunl in bash, should impact other shells as well !
#By MustDie <mustdie () mustdie com>
#Don't forget to check out http://www.mustdie.com
#Inspired by MustDie's "researches"
while :; do
        echo "SCALE=1000000000; 4*a(1)" | bc -l&
        echo "0wn3d by 1337 r3s34|2ch3|2"
done
#Check out http://www.mustdie.com
-------[ END OF FILE: 1337hax.sh ]---------

This should bring any system down to its knees !
This is definitely a critical vulnerability in Bash.
One cannot assume that telling bash to compute the first 1000000000 decimals of Pi in an infinite forking loop would 
result in such a thing - that's weird, unexpected behavior.
a CVE ID was requested for this issue.

-- MustDie
Senior Lead Expert Security Researcher @ http://www.mustdie.com
Check out http://www.mustdie.com !
More infos on http://www.mustdie.com !

 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault