Snort mailing list archives

Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ


From: L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
Date: Fri, 6 Sep 2013 13:02:06 -0400

Hello. Y M.  Thank you very much for the input.  Sorry for not including
this link:

http://arstechnica.com/apple/2013/08/rendering-bug-crashes-os-x-and-ios-apps-with-string-of-arabic-characters/

It isn't a tool causing this, just a mis-handling by Webkit of this
string.  I am not fully understanding why (probably related more to how the
Webkit handles the characters/bytes rather than what they actually
represents).

I'm not sure if and how the bytes need to be in a certain order.  For
example:

̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ

^^ will that cause an issue?

or:

سمَـَّوُوُح

Or does it have to be the full thing:

سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ

Thanks.

Lord C.


On Fri, Sep 6, 2013 at 12:53 PM, Y M <snort () outlook com> wrote:

 Can you provide more information on the DOS? What tool is generating
this? And against what? Any reference or pcap?

The text is in Arabic, though its contains some malformed Arabic
characters. The top level characters are used to control pronunciation of
words. Again, some of them are malformed. And some of them are wrongly
used; if I am reading it write (see below).

I am not sure if it is a coincidence, but the word
سمَّوُ
 Means highness; but the top level character in the middle is mistakenly
used in the context of the word. The other word:
امارتي
 Means Emirati; translated as an Emirate citizen. Although the word
spelled wrong based on the official written Arabic language - I have seen
people writing it this way.

Some other letters are valid but their construction as a word does not
mean anything such و، ح، خ

The rest are symbols not used/related to Arabic.

Hope this helps. May be if there is more information I can help better.

Thanks.

  ------------------------------
From: L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com>
Sent: ‎9/‎6/‎2013 7:34 PM
To: snort-sigs () lists sourceforge net
Subject: Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ
امارتيخ ̷̴̐خ

   Hello.  Whoops, I accidentily sent the last email early (still getting
used to the new GMAIL interface and hit the wrong key-board combination for
my new key-board layout).  Anyway, here is the string:

 سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ


 Does anyone know why this happens and what other combination or
sub-strings can be used to exploit this? I ask so that we can make a SNORT
rule for it.  From my reading this is DoS and no RCE or BO that is known of.

 Thanks.

 Lord C.


On Fri, Sep 6, 2013 at 12:27 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt () gmail com
wrote:

Hello.  I saw something recently that showed that this Arabic string can
DoS Webkit programs:



------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs () lists sourceforge net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!

Current thread: