Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera

["Jan G.B." <ro0ot.w00t () googlemail com>]

2010/5/28 MustDie <mustdieplease () gmail com>:
> On Fri, 28 May 2010 16:02:50 +0300
> "MustLive" <mustlive () websecurity com ua> wrote:
>
> > Hello Full-Disclosure!
> >
> > I want to warn you about security vulnerabilities in different browsers.
> >
> > -----------------------------
> > Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and
> > Opera
> > -----------------------------
> > URL: http://websecurity.com.ua/4238/
> > -----------------------------
> > Affected products: Mozilla Firefox, Internet Explorer 6, Internet Explorer
> > 8, Google Chrome, Opera.
> > -----------------------------
> > Timeline:
> >
> > 26.05.2010 - found vulnerabilities.
> > 26.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera.
> > 27.05.2010 - disclosed at my site.
> > -----------------------------
> > Details:
> >
> > After publication of previous vulnerabilities in different browsers, I
> > continued my researches and found many new vulnerabilities in browsers,
> > which I called by general name DoS via protocol handlers, to which belonged
> > and previous DoS attack via mailto handler.
> >
> > Now I'm informing about DoS in different browsers via protocols news and
> > nntp. These Denial of Service vulnerabilities belongs to type
> > (http://websecurity.com.ua/2550/) blocking DoS and resources consumption
> > DoS. These attacks can be conducted as with using JS, as without it (via
> > creating of page with large quantity of iframes).
> >
> > DoS:
> >
> > http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit2.html
> >
> > This exploit for news protocol works in Mozilla Firefox 3.0.19 (and besides
> > previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6
> > (6.0.2900.2180), Internet Explorer 8 (8.0.7600.16385), Google Chrome
> > 1.0.154.48 and Opera 9.52.
> >
> > In all mentioned browsers occurs blocking and overloading of the system from
> > starting of Opera, which appeared as news-client at my computer, and IE8
> > crashes (at computer without Opera). And in Opera the attack is going
> > without blocking, only resources consumption (more slowly then in other
> > browsers).
> >
> > http://websecurity.com.ua/uploads/2010/Firefox,%20IE%20&%20Opera%20DoS%20Exploit.html
> >
> > This exploit for nntp protocol works in Mozilla Firefox 3.0.19 (and besides
> > previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6
> > (6.0.2900.2180) and Opera 9.52.
> >
> > In all mentioned browsers occurs blocking and overloading of the system from
> > starting of Opera, which appeared as nntp-client at my computer. In IE8 the
> > attack didn't work - possibly because that at that computer there was no
> > nntp-client, Opera in particular. And in Opera the attack is going without
> > blocking, only resources consumption (more slowly then in other browsers).
> >
> > Best wishes & regards,
> > MustLive
> > Administrator of Websecurity web site
> > http://websecurity.com.ua
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> Hi,
> So, basically, this new vulnerability lies on spawning an infinite/huge amount of News Reader processes, right ?
> Tested (both provided POC links) on Firefox 3.5.8, ended up with unlimited pop-ups from Firefox whining about having 
> no news reader setup - no load generated, at all.
> I hope the Firefox and Opera are taking action as this is a major security threat to any IT System.
>
> By the way, I found a similar vunlerability in bash 4.5.1, but this must impact other shells as well !
> Here you go:
>
> ======= NEW UNIVERSAL SHELL EXPLOIT =======
> Discovered by MustDie <mustdie () mustdie com> http://www.mustdie.com
> See http://www.mustdie.com for more infos !
>
> Proof of concept script :
> -------[ BEGINNING OF FILE: 1337hax.sh ]---------
> #!/bin/bash
> #Hardcore vunl in bash, should impact other shells as well !
> #By MustDie <mustdie () mustdie com>
> #Don't forget to check out http://www.mustdie.com
> #Inspired by MustDie's "researches"
> while :; do
>        echo "SCALE=1000000000; 4*a(1)" | bc -l&
>        echo "0wn3d by 1337 r3s34|2ch3|2"
> done
> #Check out http://www.mustdie.com
> -------[ END OF FILE: 1337hax.sh ]---------
>
> This should bring any system down to its knees !
> This is definitely a critical vulnerability in Bash.
> One cannot assume that telling bash to compute the first 1000000000 decimals of Pi in an infinite forking loop would 
> result in such a thing - that's weird, unexpected behavior.
> a CVE ID was requested for this issue.
>
> -- MustDie
> Senior Lead Expert Security Researcher

Hi 1337 r3s34|2ch3|2,

Yeah, you're right! Bash should analyse the bash script, given
parameters to programs and alike and then change the amount to a
reasonable value of 100000000 decimals.

Btw - have you yet alerted the world of fork bombs, at all?! We're
waiting in awe.

Regards

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/