Snort mailing list archives
Re: Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ
From: Y M <snort () outlook com>
Date: Fri, 6 Sep 2013 17:46:29 +0000
Sorry for the noise. OSX 10.6.8 and Safari 5.1.6 also does not crash. I do not have access to a newer OSX at the moment, but soon I should. Attached is the pcap captured from the OSX 10.6.8. Thanks. To: jthoel () gmail com; l0rdch0de1m0rt () gmail com From: snort () outlook com Date: Fri, 6 Sep 2013 20:30:58 +0300 CC: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ Working on a pcap capture right now. On an older mac, with Safari 5.0.6, nothing crashes on me, however I need to verify that I meet the vulnerability conditions. I will test on a newer mac. From: Jeremy Hoel Sent: 9/6/2013 8:15 PM To: L0rd Ch0de1m0rt Cc: Y M; snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ On the list of for ET rules, this is also listed as a reference - http://zhovner.com/tmp/killwebkit.html On Fri, Sep 6, 2013 at 5:02 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com> wrote:
Hello. Y M. Thank you very much for the input. Sorry for not including
this link:
http://arstechnica.com/apple/2013/08/rendering-bug-crashes-os-x-and-ios-apps-with-string-of-arabic-characters/
It isn't a tool causing this, just a mis-handling by Webkit of this string.
I am not fully understanding why (probably related more to how the Webkit
handles the characters/bytes rather than what they actually represents).
I'm not sure if and how the bytes need to be in a certain order. For
example:
̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ
^^ will that cause an issue?
or:
سمَـَّوُوُح
Or does it have to be the full thing:
سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ
Thanks.
Lord C.
On Fri, Sep 6, 2013 at 12:53 PM, Y M <snort () outlook com> wrote:
Can you provide more information on the DOS? What tool is generating this?
And against what? Any reference or pcap?
The text is in Arabic, though its contains some malformed Arabic
characters. The top level characters are used to control pronunciation of
words. Again, some of them are malformed. And some of them are wrongly used;
if I am reading it write (see below).
I am not sure if it is a coincidence, but the word
سمَّوُ
Means highness; but the top level character in the middle is mistakenly
used in the context of the word. The other word:
امارتي
Means Emirati; translated as an Emirate citizen. Although the word spelled
wrong based on the official written Arabic language - I have seen people
writing it this way.
Some other letters are valid but their construction as a word does not
mean anything such و، ح، خ
The rest are symbols not used/related to Arabic.
Hope this helps. May be if there is more information I can help better.
Thanks.
________________________________
From: L0rd Ch0de1m0rt
Sent: 9/6/2013 7:34 PM
To: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ
امارتيخ ̷̴̐خ
Hello. Whoops, I accidentily sent the last email early (still getting
used to the new GMAIL interface and hit the wrong key-board combination for
my new key-board layout). Anyway, here is the string:
سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ
Does anyone know why this happens and what other combination or
sub-strings can be used to exploit this? I ask so that we can make a SNORT
rule for it. From my reading this is DoS and no RCE or BO that is known of.
Thanks.
Lord C.
On Fri, Sep 6, 2013 at 12:27 PM, L0rd Ch0de1m0rt
<l0rdch0de1m0rt () gmail com> wrote:
Hello. I saw something recently that showed that this Arabic string can
DoS Webkit programs:
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org
Please visit http://blog.snort.org for the latest news about Snort!
------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk _______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Attachment:
bug.pcap
Description:
------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ L0rd Ch0de1m0rt (Sep 06)
- Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ L0rd Ch0de1m0rt (Sep 06)
- Re: Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ Joel Esler (Sep 06)
- <Possible follow-ups>
- Re: Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ Y M (Sep 06)
- Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ L0rd Ch0de1m0rt (Sep 06)
- Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ L0rd Ch0de1m0rt (Sep 06)
- Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ Jeremy Hoel (Sep 06)
- Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ L0rd Ch0de1m0rt (Sep 06)
- Re: Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ Y M (Sep 06)
- Re: Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ Y M (Sep 06)
- Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ L0rd Ch0de1m0rt (Sep 06)