Full Disclosure mailing list archives
Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera
From: "Jan G.B." <ro0ot.w00t () googlemail com>
Date: Mon, 31 May 2010 14:41:52 +0200
2010/5/28 MustDie <mustdieplease () gmail com>:
On Fri, 28 May 2010 16:02:50 +0300 "MustLive" <mustlive () websecurity com ua> wrote:Hello Full-Disclosure! I want to warn you about security vulnerabilities in different browsers. ----------------------------- Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera ----------------------------- URL: http://websecurity.com.ua/4238/ ----------------------------- Affected products: Mozilla Firefox, Internet Explorer 6, Internet Explorer 8, Google Chrome, Opera. ----------------------------- Timeline: 26.05.2010 - found vulnerabilities. 26.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera. 27.05.2010 - disclosed at my site. ----------------------------- Details: After publication of previous vulnerabilities in different browsers, I continued my researches and found many new vulnerabilities in browsers, which I called by general name DoS via protocol handlers, to which belonged and previous DoS attack via mailto handler. Now I'm informing about DoS in different browsers via protocols news and nntp. These Denial of Service vulnerabilities belongs to type (http://websecurity.com.ua/2550/) blocking DoS and resources consumption DoS. These attacks can be conducted as with using JS, as without it (via creating of page with large quantity of iframes). DoS: http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit2.html This exploit for news protocol works in Mozilla Firefox 3.0.19 (and besides previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6 (6.0.2900.2180), Internet Explorer 8 (8.0.7600.16385), Google Chrome 1.0.154.48 and Opera 9.52. In all mentioned browsers occurs blocking and overloading of the system from starting of Opera, which appeared as news-client at my computer, and IE8 crashes (at computer without Opera). And in Opera the attack is going without blocking, only resources consumption (more slowly then in other browsers). http://websecurity.com.ua/uploads/2010/Firefox,%20IE%20&%20Opera%20DoS%20Exploit.html This exploit for nntp protocol works in Mozilla Firefox 3.0.19 (and besides previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6 (6.0.2900.2180) and Opera 9.52. In all mentioned browsers occurs blocking and overloading of the system from starting of Opera, which appeared as nntp-client at my computer. In IE8 the attack didn't work - possibly because that at that computer there was no nntp-client, Opera in particular. And in Opera the attack is going without blocking, only resources consumption (more slowly then in other browsers). Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/Hi, So, basically, this new vulnerability lies on spawning an infinite/huge amount of News Reader processes, right ? Tested (both provided POC links) on Firefox 3.5.8, ended up with unlimited pop-ups from Firefox whining about having no news reader setup - no load generated, at all. I hope the Firefox and Opera are taking action as this is a major security threat to any IT System. By the way, I found a similar vunlerability in bash 4.5.1, but this must impact other shells as well ! Here you go: ======= NEW UNIVERSAL SHELL EXPLOIT ======= Discovered by MustDie <mustdie () mustdie com> http://www.mustdie.com See http://www.mustdie.com for more infos ! Proof of concept script : -------[ BEGINNING OF FILE: 1337hax.sh ]--------- #!/bin/bash #Hardcore vunl in bash, should impact other shells as well ! #By MustDie <mustdie () mustdie com> #Don't forget to check out http://www.mustdie.com #Inspired by MustDie's "researches" while :; do echo "SCALE=1000000000; 4*a(1)" | bc -l& echo "0wn3d by 1337 r3s34|2ch3|2" done #Check out http://www.mustdie.com -------[ END OF FILE: 1337hax.sh ]--------- This should bring any system down to its knees ! This is definitely a critical vulnerability in Bash. One cannot assume that telling bash to compute the first 1000000000 decimals of Pi in an infinite forking loop would result in such a thing - that's weird, unexpected behavior. a CVE ID was requested for this issue. -- MustDie Senior Lead Expert Security Researcher
Hi 1337 r3s34|2ch3|2, Yeah, you're right! Bash should analyse the bash script, given parameters to programs and alike and then change the amount to a reasonable value of 100000000 decimals. Btw - have you yet alerted the world of fork bombs, at all?! We're waiting in awe. Regards _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera MustLive (May 28)
- Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera MustDie (May 30)
- Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera Jan G.B. (May 31)
- Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera Jan G.B. (May 31)
- Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera Jan G.B. (May 31)
- Re: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera MustDie (May 30)