Microsoft Windows image rendering DoS vuln

[Luis Alberto Cortes Zavala <napa () hackersoft net>]

Mmm i don`t know,  i test it and my pc crashed, it looks that get all my windows virtual memory, and any key didn´t 
works fine, so I have to make “button reboot”. If someone knows how to make something with the flaw I hope comments..

 

 I seen source code, for me looks that ypu have to put a lot of src, to get it works, I will continue testing that.

 

 

Ok everyone, someone sent me a copy of the site which was the link that was originally sent with the vulnerability. 
Looking closer, it seems that it may not be that the extremely large height and width properties of the image in a site 
is what is causing the crash. However, I have not had time to test it out, I will in a little bit, I need to finish a 
few things.

 

Here is the full page source (it's in the attachment). This is what I was talking about though. Notice this in the page 
source:

 

<code>

<!--

// Cache-busting LUBID bug.

var ran = Math.round(Math.random() * 899999) + 100000; var lubid_string = "<img 
src=\"http://hb.lycos.com/header?VID=6105&LHIG=1&ord="; + ran + "\"

height=\"1\" width=\"1\">";

document.write(lubid_string);

//-->

&lt;/script&gt;

</code>

 

The site also has this:

 

<code>

 

<img src="http://home.comcast.net/~squaresoft0/internet.jpg"; height="9999999" width= "9999999"><br /><img 
src="http://home.comcast.net/~squaresoft0/internet.jpg"; height="

9999999" width="9999999">

 

</code>

 

Now, I will try setting up a site with just that code, and then a site with both, and see what happens.

 

I only briefly looked at the page source, so there may be more. Tell me what you guys find.

 

Jesse Morgan wrote:

 

> Yes, it was SP2. My values were at 50000000 or something similar. I 

> also created a 50000x50000 gif and tried that, still no luck.

> Unfortunately I didn't get my hands on the code.

> Also a friend's system rebooted after a bsod (he has an ATI video card 

> and I have on-board video on a laptop)

>

> patrick wrote:

>

> > Hmm, don't think so, though, you said it crashed your computer... was 

> > it XP SP2? It sounds like it later in your email but I'm not sure... 

> > it's quite interesting. Possibly his site had a different code than 

> > the one you and I set up? He didn't go into much detail about the 

> > code except that the "height" and "width" properties should be an enourmous amount.

> > Did you by any chance get the page source or no?

>

> > Jesse Morgan wrote:

>

>

> > > His site was up when I got the email and it did crash my computer.

> > > Livejorunal locked his account a few hours later.

> > > I too tried creating the exploit myself a few days later (windows xp

> > > sp2) and it failed to work. Maybe Microsoft somehow got a patch 

> > > installed without us knowing?

> > >

> > > patrick wrote:

> > >

> > >

> > > > Andrew wrote:

> > >

> > >

> > > > >               Alpha-Pi-Omicron Pi-Alpha-Nu-Tau-Omicron-C?

> > > > >  Kappa-Alpha-Kappa-Omicron-Delta-Alpha-Iota-Mu-Omicron-Nu-Omicron-C?

> > > > > __    ___  __ _____         _       _        

> > > > > ___                       _ _

> > > > > / /   /___\/ // _  /   /\  /(_) __ _| |__     / __\___  _   _ _ __  

> > > > > ___(_) |

> > > > > / /   //  // / \// /   / /_/ / |/ _` | '_ \   / /  / _ \| | | | '_ \ /

> > > > > __| | |

> > > > > / /___/ \_// /___/ //\ / __  /| | (_| | | | | / /__| (_) | |_| | | 

> > > > > | | (__| | | \____/\___/\____/____/ \/ /_/ |_|\__, |_| |_| 

> > > > > \____/\___/ \__,_|_|

> > > > > |_|\___|_|_|

> > > > >                            

> > > > > |___/                                        

> > > > > Overview

> > > > >

> > > > > There exists a vulnerabilility in the way Microsoft Windows 

> > > > > handles the rendering of images. By resizing an image with html 

> > > > > properties to an extremely large size an attacker may perform a 

> > > > > very quick and effective denial of service attack upon a victim.

> > > > >

> > > > >

> > > > > I. Description and PoC

> > > > >

> > > > > Only clients running Internet Explorer, Firefox, or Avant in 

> > > > > Windows 2k or XP have been confirmed to be vulnerable. Opera does 

> > > > > it's own image rendering and is not ulnerable to this method of 

> > > > > attack. The status of Longhorn is not known. Other operating 

> > > > > systems, including Mac OS X and Linux are not vulnerable.

> > > > >

> > > > > You may point your browser to this URL to see a live demonstration 

> > > > > of this attack:

> > > > >

> > > > > http://www.livejournal.com/users/deeplolz

> > > > >

> > > > > This may cause an instant reboot or bluescreen detailing a problem 

> > > > > with your video drivers. Other possibilities include an extended 

> > > > > period of poor performance until next reboot, a short to medium 

> > > > > period of nonfunctionality or a crash of the browser.

> > > > >

> > > > >

> > > > > II. Impact

> > > > >

> > > > > Because this attack can be performed anywhere an img src is 

> > > > > allowed, there are many forums including blogs, messageboards, and 

> > > > > others which are vulnerable. It is hopeful that Microsoft will 

> > > > > release a patch for this attack as

> > >

> > > soon as

> > >

> > > > > possible.

> > > > >

> > > > >

> > > > > III. Solution

> > > > >

> > > > > Until a patch is released you are advised to use the Opera web 

> > > > > browser. It might also be possible to write a script for the 

> > > > > Firefox "GreaseMonkey"

> > > > > extension which

> > > > > performs a workaround for this attack. Such as setting height and 

> > > > > width of images to 5000 pixels if they are currently set to render 

> > > > > at over 5000.

> > > > >

> > > > >

> > > > > Very special shouts: Girlvinyl, Hepkitten, Confkids, and 

> > > > > Frienditto (Come back!!!

> > > > > We need you badly, FD!)

> > > > >

> > > > > Shouts:

> > > > > LJD, LJ-Zeera, Encyclopedia Dramatica, Lulz News Network, Project 

> > > > > Mayhem, Amalea, Wednesday Night Karate Explosion, The Gundanium 

> > > > > Alloys Manufacturers Association, Richmond Flash Mob Society, 

> > > > > RVA_BS, RVA_FYAD, Brad Fitzpatrick, Mena Trott, SALJ, The 

> > > > > International Department of Internet Security, #telconinjas, 

> > > > > undernet #drugs, The Kadaitcha Dancers, psychotic vegans, Warren 

> > > > > Ellis, and pro-ana preteen girls.

> > > > >

> > > > Hmm, a few things.

> > >

> > > > 1) That site is down. Has been down ever since I got this email.

> > > > 2) I created a site with this HTML code:

> > >

> > > > /././././././././././././

> > >

> > > > <html>

> > > > <body>

> > > > <p>If you are using IE, YOU SUCK! Just kidding.<br> If you're in 

> > > > Window$ though, this should crash your puter<br> or give you a 

> > > > BSOD. HAVE FUN BUDDY! MUA HA HA!</p>

> > >

> > > > <img src="http://thepcelement.com/hardware/neowinscreenie.jpg";

> > > > height="9999999999999999999999999999999999999999999999999991"

> > > > width="999999999999999999999999999999999999999999999999999999999999

> > > > 999991">

> > >

> > > > </body>

> > > > </html>

> > >

> > > > /./././././././././././

> > >

> > > > Yet no crash, this was on my Dad's PC running Window$ XP, no SP2, 

> > > > Firefox and Internet Exploder, the image was all white, no slowdown 

> > > > or anything.

> > >

> > > > Can you tell me what I'm doing wrong and give me the source to that

> page

> > > > you had up as a live demonstration? I'm interested to see more 

> > > > about this vulnerability.

> > >

> > > > Thanks for posting, have a nice day,