Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Rendering large binary file as HTML makes Mozilla Firefox stop respondin

from [Peter Kruse] Network Security [Permanent Link]
Subject: Rendering large binary file as HTML makes Mozilla Firefox stop responding
Date: Tue, 26 Oct 2004 20:21:53 +0200 
Rendering large binary file as HTML makes Mozilla Firefox stop responding

Summary
Mozilla Firefox, Web-browser and a strong alternativ to Internet Explorer.
The Mozilla Firefox shippes with several bugs, making it possible to hang
the browser, eat up virtual memory, simply by hosting a binary renamed as
html, on a remote website.

Details
Internet Explorer, and other browsers, verifies the content of filetypes
before opening in the browser (I'm not saying this is the best behaviour).
Based on the content of the file, it decides what application should be used
to open/view the content of the file. This is, by design, not the case with
Mozilla based browsers. A malicious website can host a large chunck of data,
spoofed as a html file that Mozilla will display within the browser window.
Thereby effectively causing a crash on systems visiting the website.

You can choose any file from your harddisk larger than 5MB, rename it as a
html file, upload it to a remote website, or simply open it directly from
your local harddrive. The result is the same: Mozilla will stop responding,
showing a lot of binary garbage (clearly understandable), before the user is
forced to either end the application or reboot the system.

In several test scenarios the system force feed all virtual memory causing
the system to become unstable. However, this all depends on the size of the
file viewed by the browser. To avoid the user from being suspicious while
the file loads and garbage is showed in the browser window you can format
the website in such a way that garbage won't show. This way the browser will
show a blank page until it crashes and the system becomes unstable. When
viewed, the browser will load the binary without the users knowledge. The
fact that this bug can be trigged by sending the same file with 1024 ASCII
characters pre-pended makes exploitation trivial. This is not sorely related
to trivial memory consumption. Mozilla Firefox will crash long before.

Impact
Low-Medium: This is a remote DoS in Mozilla Firefox. There are several other
ways to crash the browser.

This behavior was confirmed with Mozilla/5.0 (Windows; U; Windows NT 5.1;
rv:1.7.3) Gecko/20040913 Firefox/0.10, but my guess is that all versions of
Mozilla introduce the problem.

Solution
Awaiting fix

Affected Products
Mozilla/5.0 Gecko/20040913 Firefox/0.10 and prior

A small PoC can be found at this URL. Please note that the PoC is simply a
binary renamed to html. No masquarading, no hiding.
http://www.csis.dk/sp3.html

Mozilla will usally stop responding after approx 20 seconds.

---
Med venlig hilsen // Kind regards

Peter Kruse,
Security- and virusanalyst,
Combined Services and Integrated Solutions
http://www.csis.dk
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • Rendering large binary file as HTML makes Mozilla Firefox stop responding, Peter Kruse <=
Previous by Date:  zgv image viewing heap overflows, infamous41md
Next by Date:  Re: Update: Web browsers - a mini-farce (MSIE gives in), Valdis . Kletnieks
Previous by Thread:  zgv image viewing heap overflows, infamous41md
Next by Thread:  debian dhcpd, old format string bug, infamous41md
Indexes:  [Date] [Thread] [Top] [All Lists]