Re: DoS vulnerability in Google Chrome

[advisories () intern0t net]

Hello MustLive,


Thanks for your immediate reply. 

I have now tested what you said, cause I suspected that it was only happening because Google Chrome was installed, due 
to FireFox isn't able to know what ``chromehtml:´´ is on its own. (it has to be associated with an application in this 
case).

The following would open a lot of windows, consuming most likely all ressources:
http://websecurity.com.ua/uploads/2009/Google%20Chrome%20DoS%20Exploit2.html 

FireFox version: FireFox 3.5.2 (Mozilla/5.0 (Windows; U; Windows NT 5.1; da; rv:1.9.1.2) Gecko/20090729 Firefox/3.5.2

Google Chrome versions: 4.0.202.0 && 2.0.172.43 (both tested, the first is the new beta.)

Operating System: Windows XP Pro SP2
Hardware: 1.8ghz (single core) & 1GB ram.

However, I just tested the vulnerability in chrome and the incidents were different. In Google Chrome it appears to 
perform a deadlock of the browser while on FireFox it performs a starvation "attack" by opening a huge amount of 
windows and thereby eventually "killing" all the ram making Windows completely useless (almost).

The only thing I could do was to logout and then log back in. Task Manager was unable to help me even though it was set 
to "Always On Top". If the Task Manager was opened first then I might have had a chance but if it weren't then 4 out of 
5 times the best option would be to logout and then re-login.

I believe this is a kind of functionality bug versus denial of service bug in FireFox which unfortunately is not 
related to the Chrome Bug.

This was tested at my work since I don't have Google chrome installed on my linux installation at home. However I 
believe this can be used / triggered against any other application installed that FireFox knows exists on the target 
operating system. :-)

F.ex. I just tested your script, but with a small modification:
<script>
function DoS() {
        document.location="aim:goim?lol";
        setTimeout(DoS,1);
}
</script>
<body onLoad="DoS()">

Which made FireFox consume from 100mb ram to 250mb in less than 5-7 seconds. (I havent' been able to check how much 
more ressources it might consume if i ran it longer, but it would render my Windows installation at work useless).
This will ONLY work if FireFox does NOT know which program to use.
If FireFox knows the application and thereby wont ask, then the above script would only consume 15-25% of the CPU 
ressources, but no extra ram.

I'm sorry if this has already been reported for FireFox, I just stumbled over it.

If someone decides to make this a DoS vulnerability then I believe some credit (to me) is in order ;-) (I'll post it on 
my own website anyway, giving you credit too of course.)

Internet Explorer 7 version: 7.0.5730.13 will by the way consume up to 70% of the CPU if the same script is run. 
However it will not trigger a DoS condition in IE nor Windows, except if you might have a lot of other heavy programs 
running.



Best regards,
MaXe - Founder of InterN0T
http://www.intern0t.net



Hello MaXe!

Thanks for information.

It's interesting why your Firefox 3.5.2 is vulnerable, because on my
computer only Chrome was vulnerable, and not Firefox 3.0.13 and other
browsers (Mozilla, IE6 and Opera). Yes, I have Chrome installed on the same
system and it does not affect other browsers (not in case of this DoS hole,
not in case of other holes which I found).

Besides, which exploit works in Firefox 3.5.2 in your case? Maybe it's hole
in Firefox 3.5.x. Then it'll be better for you to check it on the system
with Firefox, but without Chrome. In case if it's Cross-Application DoS
(http://websecurity.com.ua/2600/, which you can read on English
http://translate.google.com/translate?hl=en&ie=UTF-8&u=http://websecurity.com.ua
/2600/&sl=uk&tl=en),
and Firefox 3.5.2 is affected via Chrome (you must test it by running
exploit in Firefox 3.5.2 on systems with and without Chrome installed), then
there are things which we need to know. Which browsers (Firefox 3.5.x and
others) are affected, and which versions of Chrome lead to this issue.

Besides, as I was informed recently, Google Chrome 1.0.154.65 is also
vulnerable.

P.S.

Different people have different signatures ;-). It's like: show me your
signature and I'll tell you who you are.

Best wishes & regards,
Eugene Dokukin aka MustLive
Security auditor and security researcher
http://websecurity.com.ua

----- Original Message ----- 
From: <advisories () intern0t net>
To: <bugtraq () securityfocus com>; <mustlive () websecurity com ua>
Sent: Tuesday, August 25, 2009 10:03 AM
Subject: RE: DoS vulnerability in Google Chrome


> Hi MustLive,
>
>
> I can confirm that this consumed most ressources in FireFox 3.5.2 as well.
> I have the newest Google Chrome browser installed which might explain why.
>
>
> Best regards, hopes, peace and love,
> MaXe - Founder of InterN0T - Undergrou...
> http://www.intern0t.net/
>
> PS: The extra long signature doesn't make a difference :-D
>
>
> Hello Bugtraq!
>
> I want to warn you about Denial of Service vulnerability in Google Chrome.
>
> This vulnerability I found already at 26.12.2008. Attack belongs to type
> of
> blocking DoS and DoS via resources consumption
> (http://websecurity.com.ua/2550/).
>
> DoS:
>
> http://websecurity.com.ua/uploads/2009/Google%20Chrome%20DoS%20Exploit.html
>
> http://websecurity.com.ua/uploads/2009/Google%20Chrome%20DoS%20Exploit2.html
>
> With the first exploit Chrome blocks. With the second exploit Chrome
> blocks,
> at that consumes CPU resources.
>
> Vulnerable version is Google Chrome 1.0.154.48 and previous versions (and
> potentially next versions too).
>
> I mentioned about this vulnerability at my site
> (http://websecurity.com.ua/3435/).
>
> Best wishes & regards,
> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua