Snort mailing list archives
Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ
From: L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
Date: Fri, 6 Sep 2013 13:02:06 -0400
Hello. Y M. Thank you very much for the input. Sorry for not including this link: http://arstechnica.com/apple/2013/08/rendering-bug-crashes-os-x-and-ios-apps-with-string-of-arabic-characters/ It isn't a tool causing this, just a mis-handling by Webkit of this string. I am not fully understanding why (probably related more to how the Webkit handles the characters/bytes rather than what they actually represents). I'm not sure if and how the bytes need to be in a certain order. For example: ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ ^^ will that cause an issue? or: سمَـَّوُوُح Or does it have to be the full thing: سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ Thanks. Lord C. On Fri, Sep 6, 2013 at 12:53 PM, Y M <snort () outlook com> wrote:
Can you provide more information on the DOS? What tool is generating this? And against what? Any reference or pcap? The text is in Arabic, though its contains some malformed Arabic characters. The top level characters are used to control pronunciation of words. Again, some of them are malformed. And some of them are wrongly used; if I am reading it write (see below). I am not sure if it is a coincidence, but the word سمَّوُ Means highness; but the top level character in the middle is mistakenly used in the context of the word. The other word: امارتي Means Emirati; translated as an Emirate citizen. Although the word spelled wrong based on the official written Arabic language - I have seen people writing it this way. Some other letters are valid but their construction as a word does not mean anything such و، ح، خ The rest are symbols not used/related to Arabic. Hope this helps. May be if there is more information I can help better. Thanks. ------------------------------ From: L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com> Sent: 9/6/2013 7:34 PM To: snort-sigs () lists sourceforge net Subject: Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ Hello. Whoops, I accidentily sent the last email early (still getting used to the new GMAIL interface and hit the wrong key-board combination for my new key-board layout). Anyway, here is the string: سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ Does anyone know why this happens and what other combination or sub-strings can be used to exploit this? I ask so that we can make a SNORT rule for it. From my reading this is DoS and no RCE or BO that is known of. Thanks. Lord C. On Fri, Sep 6, 2013 at 12:27 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail comwrote:Hello. I saw something recently that showed that this Arabic string can DoS Webkit programs:
------------------------------------------------------------------------------ Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! Discover the easy way to master current and previous Microsoft technologies and advance your career. Get an incredible 1,500+ hours of step-by-step tutorial videos with LearnDevNow. Subscribe today and save! http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs http://www.snort.org Please visit http://blog.snort.org for the latest news about Snort!
Current thread:
- Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ L0rd Ch0de1m0rt (Sep 06)
- Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ L0rd Ch0de1m0rt (Sep 06)
- Re: Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ Joel Esler (Sep 06)
- <Possible follow-ups>
- Re: Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ Y M (Sep 06)
- Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ L0rd Ch0de1m0rt (Sep 06)
- Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ L0rd Ch0de1m0rt (Sep 06)
- Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ Jeremy Hoel (Sep 06)
- Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ L0rd Ch0de1m0rt (Sep 06)
- Re: Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ Y M (Sep 06)
- Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ L0rd Ch0de1m0rt (Sep 06)