Full Disclosure mailing list archives
Re: File Download and DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera
From: mitchell <mitchell () csc bg>
Date: Sun, 4 Jul 2010 00:23:04 +0300
Hello MustLive! Since I got sick and tired of deleting your messages, I want to warn you about a serious vulnerability that I found recently in your Collections of Fun (Партнер проекту Websecurity.com.ua <http://websecurity.com.ua/> - веб проект mlfun.org.ua): # dig +short mlfun.org.ua 212.111.196.162 # dig +short shop.gps-info.com.ua 212.111.196.162 http://shop.gps-info.com.ua/admin/file_manager.php/login.php Cheers! # m. On Sat, Jul 3, 2010 at 23:19, MustLive <mustlive () websecurity com ua> wrote:
Hello Full-Disclosure! I want to warn you about File Download and Denial of Service vulnerabilities in Mozilla Firefox, Internet Explorer, Google Chrome and Opera. Earlier I already wrote about DoS vulnerabilities in different browsers via different protocol handlers. And now I'll tell about research concerned with attacks via protocols http and ftp which I made already in 2008 and published at 30.06.2010. ----------------------------- Advisory: File Download and DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera ----------------------------- URL: http://websecurity.com.ua/4334/ ----------------------------- Affected products: Mozilla Firefox, Internet Explorer 6, Google Chrome, Opera. Other browsers can be vulnerable as well. ----------------------------- Details: On 18th of September 2008 I found File Download and Denial of Service vulnerabilities in Firefox, Internet Explorer, Chrome and Opera. This research I begun after I found in September multiple Automatic File Download vulnerabilities in Google Chrome, which I wrote in details in the article Automatic File Download vulnerabilities in browsers (http://websecurity.com.ua/2438/). Goal of this research was to create a method of conducting File Download attacks in different browsers (and DoS attacks via SaveAs functionality). Which I called SaveAs attack. And even this attack (file saving) is not going automatically (as it took place in first versions of Chrome - in more new versions of its browser Google fixed this vulnerability, after my warnings, and browser asks before downloading files), but due to persistent showing of the window for file saving, the user can accidentally press at "Save" and save file. Unlike Automatic File Download in Chrome, this attack is working in different browsers (including in new versions of Chrome). So this method can be used for forced file saving at users' computer. And also this method can be used for conducting of DoS attacks (via creating of multiple windows for saving of files). File Download attack can lead to Code Execution, if user will later open file (malicious), which was saved by him. These File Download and DoS attacks are conducted via protocols http and ftp. I set in exploits the files at servers of Google (for http) and Microsoft (for ftp) - these companies have more server capacities for this task. Denial of Service vulnerabilities belong to type (http://websecurity.com.ua/2550/) blocking DoS and resources consumption DoS. These two attacks can be conducted as with using JS, as without it (via creating of a page with large quantity of iframes and in Chrome it's also possible to use frames). File Download and DoS: http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit6.html (http protocol) http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit7.html (ftp protocol) Both exploits work in Mozilla Firefox 3.0.19 (and besides previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6 (6.0.2900.2180), Google Chrome 1.0.154.48 and Opera 9.52. In browsers Firefox, IE6 and Opera occur blocking and overloading of the system (and Firefox 3.0.1 was crashing). In Chrome occurs blocking of the browser. But both exploits don't work in IE8. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- File Download and DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera MustLive (Jul 03)
- Re: File Download and DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera mitchell (Jul 03)