Bugtraq mailing list archives
Re[3]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers
From: "MustLive" <mustlive () websecurity com ua>
Date: Thu, 3 Jun 2010 23:12:52 +0300
Hello John! Now I'll answer on your letter. Because you've wrote many letters and every of them have questions which need to be answered, so I'd answer on all questions in few letters. It's good that Vladimir helped me (thanks to him) with clarifying of these vulnerabilities for readers of the list, but I need to give additional explanations. Also I'll point on some important things for all readers of the list. First of all, readers of both Bugtraq and Full-disclosure must understand, that if you had no questions to my first advisory (from this series of advisories (I posted three already) of vulnerabilities in browsers, which belong to group of DoS via protocol handlers), then there must be no questions for next advisories. Otherwise it'll be double standards (not moaning on 1st advisory and moaning on 2nd and 3rd ones) and as I already wrote to the lists, double standards are bad and better to not use them. Second, I repeat one more time :-), that there can be also made attack without using JS (as I mentioned in all my advisories). And yesterday I posted my new advisory, where I published pure-iframe (without JS) version of exploit for firefoxurl protocol, and also added link to exploit in my previous advisory (where I wrote about attack via firefoxurl URL). DoS: http://websecurity.com.ua/uploads/2010/IE,%20OE%20&%20Outlook%20DoS%20Exploit.html
In case of this very vulnerability, most serious impact may be from e-mail vector.
This is important note by Vladimir. And about attacks from e-mail vector I wrote separate advisory (published yesterday, as I mentioned above). And soon I'll post it to security mailing lists.
as site's that is allowing the rogue scripts
Don't worry about how bad guys will be placing of JS code or page with iframes at web site for this attack - it'll be their own problem. And if they want they will do it. And after they placed attacking code (JS or HTML) on target-site, then it'll be already a problem of users of this site (which will can not work with it) and admin of the site (which in addition to problems with working with the site, also will left without visitors on his site). There are always vulnerabilities on different sites which can be used for this attack. And also e-mail vector mentioned by Vladimir can be used.
Its called the "infinite loop".
As I mentioned bellow - for many years some of browsers can protect from this issue. But even them do it badly and I all the time develop new exploits which bypassed this protection. And all browsers (if they called themselves as secure) must protect against this attack. Also remember, in any affected browser only one infinite loop will lead only to resource consumption (mostly small one), but in many of my exploits I'm talking about crashing, blocking or very high resource consumption.
Here's the simplified JS version of it (lets call it the Universal DoS -- yes, it'd work for every browser on the planet that can execute JS) -
John, you was left almost on two years. In September and October 2008 I made such projects as Day of bugs in Google Chrome, Day of bugs in browsers, Day of bugs in browsers 2: reloaded (where I released many different vulnerabilities in browsers, including DoS). And in October 2008, for project Day of bugs in browsers 2, I released exploits for blocking DoS with alertbox which affect many browsers ;-) (which you mentioned in your letter). As you can found it in my post DoS in Firefox, Internet Explorer and Google Chrome (http://websecurity.com.ua/2575/). I showed three variants of this attack, to show possibilities of bypassing browsers protection. This variant of exploit is not universal DoS - because it doesn't work in all browsers. If you, John, didn't know, so I'll tell you, that already in 2008 there were browsers which can block such attacks. So your statement "it'd work for every browser on the planet" is incorrect already for two years. And in my post I published three exploits for such DoS attack and the third one bypassed Google Chrome's protection (versions 0.2.149.30 and 0.3.154.9 at that time). But Opera 9.52 was not affected at all. So Opera was most secure browser for this particular attack :-). During 2008-2010 I released a lot of different exploits of blocking DoS and other types of DoS for different browsers. And I posted about these holes to SecurityVulns (http://securityvulns.com/source15611.html).
Workaround: None very intuitive. Maybe allow the user to terminate the script at every iteration? specific time period? etc...
There are workarounds for already two years for this attack. First - use secure browser (like Opera for this particular case). Second - allow users to stop executing scripts at the page, as Firefox and Chrome support, but in October 2008 Firefox failed in this case, but Chrome could stop the script. But I made different versions of exploit, one of which bypassed Chrome's protection. So the first workaround is more reliable one. Best wishes & regards, MustLive Administrator of Websecurity web site http://websecurity.com.ua----- Original Message ----- From: "John Smith" <at-x () live com>
To: "Vladimir '3APA3A' Dubrovin" <3APA3A () SECURITY NNOV RU> Cc: "MustLive" <mustlive () websecurity com ua>; "Susan Bradley" <sbradcpa () pacbell net>; <bugtraq () securityfocus com> Sent: Friday, May 28, 2010 10:55 PM Subject: Re: Re[2]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers
Point taken. But that'd be a non-issue on the browser's end as much as site's that is allowing the rogue scripts (or malformed ads, as per your example). The fork of this mail thread clearly explains what I'm talking about. The issue noted there is a simple DoS attack which every programming language and platform is vulnerable too. Its called the "infinite loop". It is not a 'security vulnerability' by itself and is completely agnostic of the uri handler (try http or anything instead of nntp). Here's the simplified JS version of it (lets call it the Universal DoS -- yes, it'd work for every browser on the planet that can execute JS) - <script> while(1)alert('hello world'); </script> Done! Workaround: None very intuitive. Maybe allow the user to terminate the script at every iteration? specific time period? etc... -------------------------------------------------- From: "Vladimir '3APA3A' Dubrovin" <3APA3A () SECURITY NNOV RU> Sent: Friday, May 28, 2010 11:47 PM To: "John Smith" <at-x () live com> Cc: "MustLive" <mustlive () websecurity com ua>; "Susan Bradley" <sbradcpa () pacbell net>; <bugtraq () securityfocus com> Subject: Re[2]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsersDear John Smith, Actually, browser DoS may be quite serious vulnerability, depending on nature of DoS. Think about e.g. banner or content exchange network, social networks, web boards, etc where browser vulnerability may be used against site or page because it will harm any visitors of this site or page. In case of this very vulnerability, most serious impact may be from e-mail vector. --Friday, May 28, 2010, 7:07:50 PM, you wrote to mustlive () websecurity com ua: JS> Just a few cents - DoS in webbrowsers doesn't fall under the category of JS> "vulnerabilities" rather more of "annoyances". Although I don't deny the JS> fact that certain DoS attacks *may lead* or *may serve as hints* to other JS> more serious exploits, but that's a different topic and with ASLR in the JS> scene, a very grey area of discussion. -- Skype: Vladimir.Dubrovin ~/ZARAZA http://securityvulns.com/ Стреляя во второй раз, он искалечил постороннего. Посторонним был я. (Твен)
Current thread:
- Re[3]: DoS vulnerabilities in Firefox, Internet Explorer, Chrome, Opera and other browsers MustLive (Jun 04)