On Fri, 28 May 2010 16:02:50 +0300 "MustLive" <[email protected]> wrote:
> Hello Full-Disclosure! > > I want to warn you about security vulnerabilities in different browsers. > > ----------------------------- > Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and > Opera > ----------------------------- > URL: http://websecurity.com.ua/4238/ > ----------------------------- > Affected products: Mozilla Firefox, Internet Explorer 6, Internet Explorer > 8, Google Chrome, Opera. > ----------------------------- > Timeline: > > 26.05.2010 - found vulnerabilities. > 26.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera. > 27.05.2010 - disclosed at my site. > ----------------------------- > Details: > > After publication of previous vulnerabilities in different browsers, I > continued my researches and found many new vulnerabilities in browsers, > which I called by general name DoS via protocol handlers, to which belonged > and previous DoS attack via mailto handler. > > Now I'm informing about DoS in different browsers via protocols news and > nntp. These Denial of Service vulnerabilities belongs to type > (http://websecurity.com.ua/2550/) blocking DoS and resources consumption > DoS. These attacks can be conducted as with using JS, as without it (via > creating of page with large quantity of iframes). > > DoS: > > http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit2.html > > This exploit for news protocol works in Mozilla Firefox 3.0.19 (and besides > previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6 > (6.0.2900.2180), Internet Explorer 8 (8.0.7600.16385), Google Chrome > 1.0.154.48 and Opera 9.52. > > In all mentioned browsers occurs blocking and overloading of the system from > starting of Opera, which appeared as news-client at my computer, and IE8 > crashes (at computer without Opera). And in Opera the attack is going > without blocking, only resources consumption (more slowly then in other > browsers). > > http://websecurity.com.ua/uploads/2010/Firefox,%20IE%20&%20Opera%20DoS%20Exploit.html > > This exploit for nntp protocol works in Mozilla Firefox 3.0.19 (and besides > previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6 > (6.0.2900.2180) and Opera 9.52. > > In all mentioned browsers occurs blocking and overloading of the system from > starting of Opera, which appeared as nntp-client at my computer. In IE8 the > attack didn't work - possibly because that at that computer there was no > nntp-client, Opera in particular. And in Opera the attack is going without > blocking, only resources consumption (more slowly then in other browsers). > > Best wishes & regards, > MustLive > Administrator of Websecurity web site > http://websecurity.com.ua > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ Hi, So, basically, this new vulnerability lies on spawning an infinite/huge amount of News Reader processes, right ? Tested (both provided POC links) on Firefox 3.5.8, ended up with unlimited pop-ups from Firefox whining about having no news reader setup - no load generated, at all. I hope the Firefox and Opera are taking action as this is a major security threat to any IT System. By the way, I found a similar vunlerability in bash 4.5.1, but this must impact other shells as well ! Here you go: ======= NEW UNIVERSAL SHELL EXPLOIT ======= Discovered by MustDie <[email protected]> http://www.mustdie.com See http://www.mustdie.com for more infos ! Proof of concept script : -------[ BEGINNING OF FILE: 1337hax.sh ]--------- #!/bin/bash #Hardcore vunl in bash, should impact other shells as well ! #By MustDie <[email protected]> #Don't forget to check out http://www.mustdie.com #Inspired by MustDie's "researches" while :; do echo "SCALE=1000000000; 4*a(1)" | bc -l& echo "0wn3d by 1337 r3s34|2ch3|2" done #Check out http://www.mustdie.com -------[ END OF FILE: 1337hax.sh ]--------- This should bring any system down to its knees ! This is definitely a critical vulnerability in Bash. One cannot assume that telling bash to compute the first 1000000000 decimals of Pi in an infinite forking loop would result in such a thing - that's weird, unexpected behavior. a CVE ID was requested for this issue. -- MustDie Senior Lead Expert Security Researcher @ http://www.mustdie.com Check out http://www.mustdie.com ! More infos on http://www.mustdie.com ! _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
