Re: [Full-disclosure] Internet Explorer Crash
On Wed, 18 Apr 2007 [EMAIL PROTECTED] wrote: So - other than it has already burned more than N seconds of CPU, what test do you propose to make? It has already consumed N megabytes of memory. This condition is superfluous from a purely theoretical POV because a program running for N units of time cannot consume more than N units of memory (*) but this upper bound is too loose for most programs doing any useful work. (*) Or less than log_2(N) units of memory unless it is going to 1. read more inputs from the outer world or 2. loop forever. --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] Resistance is futile. Open your source code and prepare for assimilation. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet Explorer Crash
ActionScript is a crappy language, it's used in Flash movies. Since it was created to be used by webdesigners, there are lots of failsafe devices, including an infinity loop detector. No more than 100.000 iterations, as I remember. Of course real programmers hated the thing, it created lots of weird bugs, because if you can't trust your loops... terrorists win ;) On Sat, 21 Apr 2007 13:23:10 +0200 (CEST) Pavel Kankovsky [EMAIL PROTECTED] wrote: PK On Wed, 18 Apr 2007 [EMAIL PROTECTED] wrote: PK PK So - other than it has already burned more than N seconds of CPU, what PK test do you propose to make? PK PK It has already consumed N megabytes of memory. PK PK This condition is superfluous from a purely theoretical POV because a PK program running for N units of time cannot consume more than N units of PK memory (*) but this upper bound is too loose for most programs doing any PK useful work. PK PK (*) Or less than log_2(N) units of memory unless it is going to 1. read PK more inputs from the outer world or 2. loop forever. PK PK --Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ] PK Resistance is futile. Open your source code and prepare for assimilation. PK PK ___ PK Full-Disclosure - We believe in it. PK Charter: http://lists.grok.org.uk/full-disclosure-charter.html PK Hosted and sponsored by Secunia - http://secunia.com/ - Carlos Cardoso http://www.carloscardoso.com == blog semi-pessoal http://www.contraditorium.com == ProBlogging e cultura digital You lost today, kid. But that doesn't mean you have to like it ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet Explorer Crash
This also works under Konqueror. There should be an implimentation on ALL browsers that a loop such large is unacceptable and refuse to even run it. There is no viable reason for a client-side to run a loop through so many itterations. This DoS technique could be abused and iframes with the code could be embedded within popular websites, effectively causing a denial of service to that specific site. On Tuesday 17 April 2007 13:09, J. Oquendo wrote: Product: Internet Explorer Version 7.0.5730.11 Impact: Browser crash possibly more Author: Jesus Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' I. BACKGROUND Why bother? Who doesn't know what Internet Explorer and Microsoft are. II. DESCRIPTION IE 7 is vulnerable to a script which causes the browser to hang. The memory and CPU usage go through the roof. Originally the script caused (and still causes) Safari and Konqueror to crash. III SOLUTION Stop using Microsoft products or deal with a new advisory every other day. IV. Proof http://www.infiltrated.net/stupidInternetExploder.html V. Code $ more /stupidInternetExploder.html script var reg = /(.)*/; var z = 'Z'; while (z.length = 999 999 999 999 999 999 999 999 999) z+=z; var boum = reg.exec(z); /script Goodbye J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet Explorer Crash
On Wed, 18 Apr 2007 12:31:57 EDT, Kradorex Xeron said: There should be an implimentation on ALL browsers that a loop such large is unacceptable and refuse to even run it. There is no viable reason for a client-side to run a loop through so many itterations. There's this thing called the Turing Halting Problem. :) The problem is that it's *really* hard to *programatically* look at a loop like that, and say That's going to loop 'too long' (for some fuzzy definition of 'too long'). Take that same code, and change the comparison to 'while (z.length 3)'. Does that loop too long? How about ' 8'? (Keep in mind that to check this *from within*, it needs to have the knowledge that z is the loop control, which it has, and that z.length is approximately log10(z), and that some value of log10(z) is too much. And once you've coded all that knowledge, the attacker just changes the test to this: while (foo(z) == TRUE) (... and foo(z) is defined as: boolean foo(int z) { static a = 0; if (isprime(z)) a++; if a 100 return FALSE; return TRUE; } Bonus points for defining isprime() as Sieve of Eratosthenes rather than some higher-performance primality check like Rabin-Miller or similar. Or maybe not - Sieve is probably simple enough that you can special-case it, better methods have more obscure internals. And we're *trying* to burn CPU - so maybe Sieve of Eratosthene's less clever brother is called for (iterate 1 to N, rather than 1 to sqrt(N)) :) So - other than it has already burned more than N seconds of CPU, what test do you propose to make? And what do you do if the site is some Javascript-driven interface to a corporate application that the user is expected to be in all day, and it's *legitimate* to burn lots more than N seconds during an 8-hour day? (Hint - trusted site is probably not the greatest way to phrase that sort of check... ;) pgpVsSHySZR2O.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet Explorer Crash
There should be an implimentation on ALL browsers that a loop such large is unacceptable and refuse to even run it. There is no viable reason for a client-side to run a loop through so many itterations. It's an unsolvable problem in computer science: a program (the browser) cannot calculate exactly how long another program (the script) will execute except by executing it... thus running at least as long as the latter. Proven mathematically, inescapable fact. The PoC at hand only demonstrates the easiest case, but there are infinitely more possible ones. The only safe way out is a timeout, like Internet Explorer (or PHP on the server side) implements ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet Explorer Crash
Dear carl hardwick, Both Firefox 2.0.0.3 and IE 6.0.2900.2180 resisted (Firefox stops loading page after 500MB of memory, IE warns about script slowing down performance). It's simple memory bomb, probably you are vulnerable because you have = 512 MB of RAM. --Tuesday, April 17, 2007, 10:56:14 PM, you wrote to full-disclosure@lists.grok.org.uk: ch Mozilla Firefox 2.0.0.3 is also vulnerable -- ~/ZARAZA http://securityvulns.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet Explorer Crash
Also works on Mozilla Firefox 2.0.3. After opening the page CPU goes to 80% but the browser doesn't crash :) You just have to close the tab (it takes a minute) and everything goes back to normal :) Regards Michal. On 4/17/07, Nikolay Kichukov [EMAIL PROTECTED] wrote: Also works on IE 6.0.2800 -nik - Original Message - From: J. Oquendo [EMAIL PROTECTED] To: full-disclosure full-disclosure@lists.grok.org.uk Sent: Tuesday, April 17, 2007 8:09 PM Subject: [Full-disclosure] Internet Explorer Crash ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet Explorer Crash
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I have confirmed that both Adobe Photoshop 7.0 and 7.1 are vulnerable to this issue. However all versions of Paint Shop Pro that I tested are not vulnerable. I repeat, Paint Shop Pro is not vulnerable to this issue. Ubuntu is not vulnerable to this issue in any way. Good find buddy! - - Dr. Neal Krawetz, PhD http://www.hackerfactor.com/blog/ On Tue, 17 Apr 2007 13:09:50 -0400 J. Oquendo [EMAIL PROTECTED] wrote: Product: Internet Explorer Version 7.0.5730.11 Impact: Browser crash possibly more Author: Jesus Oquendo echo @infiltrated|sed 's/^/sil/g;s/$/.net/g' I. BACKGROUND Why bother? Who doesn't know what Internet Explorer and Microsoft are. II. DESCRIPTION IE 7 is vulnerable to a script which causes the browser to hang. The memory and CPU usage go through the roof. Originally the script caused (and still causes) Safari and Konqueror to crash. III SOLUTION Stop using Microsoft products or deal with a new advisory every other day. IV. Proof http://www.infiltrated.net/stupidInternetExploder.html V. Code $ more /stupidInternetExploder.html script var reg = /(.)*/; var z = 'Z'; while (z.length = 999 999 999 999 999 999 999 999 999) z+=z; var boum = reg.exec(z); /script Goodbye J. Oquendo http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0x1383A743 sil . infiltrated @ net http://www.infiltrated.net The happiness of society is the end of government. John Adams -BEGIN PGP SIGNATURE- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.5 wpwEAQECAAYFAkYlQWQACgkQDpFP8dW5K4Z/bQQAhmwJc2y9RBZ7nFAEWo4Q/aIpvwVj 7Xa+Ax+CUSe1O+hINFX5I+hLoPckPNVoC3YtPA7rQqT6dQ3xIubFgZAGFs62v7p936yi p4esv/frDaklOmlEGjVZqcoxJATwj8HBPthO3YZk5D1HRJhkQ0J72ucEkBgK6tw/YeuL dUoEASE= =FbVw -END PGP SIGNATURE- -- Become a medical transcriptionist at home, at your own pace. http://tagline.hushmail.com/fc/CAaCXv1R3e4Y8wdXYkvHiVBp8Vi7B9M9/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Internet Explorer Crash
On 4/17/07, J. Oquendo [EMAIL PROTECTED] wrote: III SOLUTION Stop using Microsoft products or deal with a new advisory every other day. As the replies have shown, this isn't limited to IE7. It happens in Firefox too, so your solution won't work. :) In this particular case, IE7 actually handles the loop better than Firefox. First, I had to actively tell IE, Yes, I want to run the script. After a short time, IE came up with a prompt asking if I want to continue running the script because it's causing my system to be slowed down. Memory usage shot up about 200 MiB. As soon as I clicked No on the dialog, everything was back to normal. With Firefox, I had to close the tab manually, which wasn't exactly easy to do since Firefox was barely responding. In fact, my entire system had slowed down since Firefox was eating up about 700 MiB of memory, which pushed me into heavy virtual memory usage. It didn't DoS me. It stopped me from visiting other web pages for about a minute, but I recovered without having to restart my system. The rest of my system was completely usable while IE attempted to run the script, though that may not have been true with a single core system. There was no crash, and memory usage, while high, was reasonable. -- Troy ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/