Re[3]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers

["MustLive" <mustlive () websecurity com ua>]

Hello John!

Now I'll answer on your letter. Because you've wrote many letters and every
of them have questions which need to be answered, so I'd answer on all
questions in few letters. It's good that Vladimir helped me (thanks to him)
with clarifying of these vulnerabilities for readers of the list, but I need
to give additional explanations. Also I'll point on some important things
for all readers of the list.

First of all, readers of both Bugtraq and Full-disclosure must understand,
that if you had no questions to my first advisory (from this series of
advisories (I posted three already) of vulnerabilities in browsers,
which belong to group of DoS via protocol handlers), then there must be no
questions for next advisories. Otherwise it'll be double standards (not
moaning on 1st advisory and moaning on 2nd and 3rd ones) and as I already
wrote to the lists, double standards are bad and better to not use them.

Second, I repeat one more time :-), that there can be also made attack
without using JS (as I mentioned in all my advisories). And yesterday I
posted my new advisory, where I published pure-iframe (without JS) version
of exploit for firefoxurl protocol, and also added link to exploit in my
previous advisory (where I wrote about attack via firefoxurl URL).

DoS:

http://websecurity.com.ua/uploads/2010/IE,%20OE%20&%20Outlook%20DoS%20Exploit.html

> In  case  of  this  very vulnerability, most serious impact may be from
> e-mail vector.

This is important note by Vladimir. And about attacks from e-mail vector I
wrote separate advisory (published yesterday, as I mentioned above). And
soon I'll post it to security mailing lists.

> as site's that is allowing the rogue scripts

Don't worry about how bad guys will be placing of JS code or page with
iframes at web site for this attack - it'll be their own problem. And if
they want they will do it. And after they placed attacking code (JS or HTML)
on target-site, then it'll be already a problem of users of this site (which
will can not work with it) and admin of the site (which in addition to
problems with working with the site, also will left without visitors on his
site). There are always vulnerabilities on different sites which can be used
for this attack. And also e-mail vector mentioned by Vladimir can be used.

> Its called the "infinite loop".

As I mentioned bellow - for many years some of browsers can protect from
this issue. But even them do it badly and I all the time develop new
exploits which bypassed this protection. And all browsers (if they called
themselves as secure) must protect against this attack. Also remember, in
any affected browser only one infinite loop will lead only to resource
consumption (mostly small one), but in many of my exploits I'm talking about
crashing, blocking or very high resource consumption.

> Here's the simplified JS version of it (lets call it the Universal DoS --
> yes, it'd work for every browser on the planet that can execute JS) -

John, you was left almost on two years.

In September and October 2008 I made such projects as Day of bugs in Google
Chrome, Day of bugs in browsers, Day of bugs in browsers 2: reloaded (where
I released many different vulnerabilities in browsers, including DoS). And
in October 2008, for project Day of bugs in browsers 2, I released exploits
for blocking DoS with alertbox which affect many browsers ;-) (which you
mentioned in your letter). As you can found it in my post DoS in Firefox,
Internet Explorer and Google Chrome (http://websecurity.com.ua/2575/).

I showed three variants of this attack, to show possibilities of bypassing
browsers protection. This variant of exploit is not universal DoS - because
it doesn't work in all browsers. If you, John, didn't know, so I'll tell
you, that already in 2008 there were browsers which can block such attacks.
So your statement "it'd work for every browser on the planet" is incorrect
already for two years. And in my post I published three exploits for such
DoS attack and the third one bypassed Google Chrome's protection (versions
0.2.149.30 and 0.3.154.9 at that time). But Opera 9.52 was not affected at
all. So Opera was most secure browser for this particular attack :-).

During 2008-2010 I released a lot of different exploits of blocking DoS and
other types of DoS for different browsers. And I posted about these holes to
SecurityVulns (http://securityvulns.com/source15611.html).

> Workaround:
> None very intuitive. Maybe allow the user to terminate the script at every
> iteration? specific time period? etc...

There are workarounds for already two years for this attack. First - use
secure browser (like Opera for this particular case). Second - allow users
to stop executing scripts at the page, as Firefox and Chrome support, but
in October 2008 Firefox failed in this case, but Chrome could stop the
script. But I made different versions of exploit, one of which bypassed
Chrome's protection. So the first workaround is more reliable one.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- 
From: "John Smith" <at-x () live com>
To: "Vladimir '3APA3A' Dubrovin" <3APA3A () SECURITY NNOV RU>
Cc: "MustLive" <mustlive () websecurity com ua>; "Susan Bradley"
<sbradcpa () pacbell net>; <bugtraq () securityfocus com>
Sent: Friday, May 28, 2010 10:55 PM
Subject: Re: Re[2]: DoS vulnerabilities in Firefox, Internet Explorer,
Chrome, Opera and other browsers


> Point taken. But that'd be a non-issue on the browser's end as much as
> site's that is allowing the rogue scripts (or malformed ads, as per your
> example).
> The fork of this mail thread clearly explains what I'm talking about. The
> issue noted there is a simple DoS attack which every programming language
> and platform is vulnerable too. Its called the "infinite loop". It is not
> a 'security vulnerability' by itself and is completely agnostic of the uri
> handler (try http or anything instead of nntp).
>
> Here's the simplified JS version of it (lets call it the Universal DoS --
> yes, it'd work for every browser on the planet that can execute JS) -
>
> <script>
> while(1)alert('hello world');
> </script>
>
> Done!
>
> Workaround:
> None very intuitive. Maybe allow the user to terminate the script at every
> iteration? specific time period? etc...
>
> --------------------------------------------------
> From: "Vladimir '3APA3A' Dubrovin" <3APA3A () SECURITY NNOV RU>
> Sent: Friday, May 28, 2010 11:47 PM
> To: "John Smith" <at-x () live com>
> Cc: "MustLive" <mustlive () websecurity com ua>; "Susan Bradley"
> <sbradcpa () pacbell net>; <bugtraq () securityfocus com>
> Subject: Re[2]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome,
> Opera and other browsers
>
> > Dear John Smith,
> >
> > Actually,  browser DoS may be quite serious vulnerability, depending on
> > nature  of  DoS.  Think  about e.g. banner or content exchange network,
> > social  networks,  web  boards,  etc where browser vulnerability may be
> > used  against  site  or  page because it will harm any visitors of this
> > site or page.
> >
> > In  case  of  this  very vulnerability, most serious impact may be from
> > e-mail vector.
> >
> > --Friday, May 28, 2010, 7:07:50 PM, you wrote to
> > mustlive () websecurity com ua:
> >
> > JS> Just a few cents - DoS in webbrowsers doesn't fall under the category
> > of
> > JS> "vulnerabilities" rather more of "annoyances". Although I don't deny
> > the
> > JS> fact that certain DoS attacks *may lead* or *may serve as hints* to
> > other
> > JS> more serious exploits, but that's a different topic and with ASLR in
> > the
> > JS> scene, a very grey area of discussion.
> >
> >
> >
> > --
> > Skype: Vladimir.Dubrovin
> > ~/ZARAZA http://securityvulns.com/
> > Стреляя во второй раз, он искалечил постороннего. Посторонним был я.
> > (Твен)