2010/5/28 MustDie <[email protected]>: > On Fri, 28 May 2010 16:02:50 +0300 > "MustLive" <[email protected]> wrote: > >> Hello Full-Disclosure! >> >> I want to warn you about security vulnerabilities in different browsers. >> >> ----------------------------- >> Advisory: DoS vulnerabilities in Firefox, Internet Explorer, Chrome and >> Opera >> ----------------------------- >> URL: http://websecurity.com.ua/4238/ >> ----------------------------- >> Affected products: Mozilla Firefox, Internet Explorer 6, Internet Explorer >> 8, Google Chrome, Opera. >> ----------------------------- >> Timeline: >> >> 26.05.2010 - found vulnerabilities. >> 26.05.2010 - informed developers: Mozilla, Microsoft, Google and Opera. >> 27.05.2010 - disclosed at my site. >> ----------------------------- >> Details: >> >> After publication of previous vulnerabilities in different browsers, I >> continued my researches and found many new vulnerabilities in browsers, >> which I called by general name DoS via protocol handlers, to which belonged >> and previous DoS attack via mailto handler. >> >> Now I'm informing about DoS in different browsers via protocols news and >> nntp. These Denial of Service vulnerabilities belongs to type >> (http://websecurity.com.ua/2550/) blocking DoS and resources consumption >> DoS. These attacks can be conducted as with using JS, as without it (via >> creating of page with large quantity of iframes). >> >> DoS: >> >> http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit2.html >> >> This exploit for news protocol works in Mozilla Firefox 3.0.19 (and besides >> previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6 >> (6.0.2900.2180), Internet Explorer 8 (8.0.7600.16385), Google Chrome >> 1.0.154.48 and Opera 9.52. >> >> In all mentioned browsers occurs blocking and overloading of the system from >> starting of Opera, which appeared as news-client at my computer, and IE8 >> crashes (at computer without Opera). And in Opera the attack is going >> without blocking, only resources consumption (more slowly then in other >> browsers). >> >> http://websecurity.com.ua/uploads/2010/Firefox,%20IE%20&%20Opera%20DoS%20Exploit.html >> >> This exploit for nntp protocol works in Mozilla Firefox 3.0.19 (and besides >> previous versions, it must work in 3.5.x and 3.6.x), Internet Explorer 6 >> (6.0.2900.2180) and Opera 9.52. >> >> In all mentioned browsers occurs blocking and overloading of the system from >> starting of Opera, which appeared as nntp-client at my computer. In IE8 the >> attack didn't work - possibly because that at that computer there was no >> nntp-client, Opera in particular. And in Opera the attack is going without >> blocking, only resources consumption (more slowly then in other browsers). >> >> Best wishes & regards, >> MustLive >> Administrator of Websecurity web site >> http://websecurity.com.ua >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > Hi, > So, basically, this new vulnerability lies on spawning an infinite/huge > amount of News Reader processes, right ? > Tested (both provided POC links) on Firefox 3.5.8, ended up with unlimited > pop-ups from Firefox whining about having no news reader setup - no load > generated, at all. > I hope the Firefox and Opera are taking action as this is a major security > threat to any IT System. > > By the way, I found a similar vunlerability in bash 4.5.1, but this must > impact other shells as well ! > Here you go: > > ======= NEW UNIVERSAL SHELL EXPLOIT ======= > Discovered by MustDie <[email protected]> http://www.mustdie.com > See http://www.mustdie.com for more infos ! > > Proof of concept script : > -------[ BEGINNING OF FILE: 1337hax.sh ]--------- > #!/bin/bash > #Hardcore vunl in bash, should impact other shells as well ! > #By MustDie <[email protected]> > #Don't forget to check out http://www.mustdie.com > #Inspired by MustDie's "researches" > while :; do > echo "SCALE=1000000000; 4*a(1)" | bc -l& > echo "0wn3d by 1337 r3s34|2ch3|2" > done > #Check out http://www.mustdie.com > -------[ END OF FILE: 1337hax.sh ]--------- > > This should bring any system down to its knees ! > This is definitely a critical vulnerability in Bash. > One cannot assume that telling bash to compute the first 1000000000 decimals > of Pi in an infinite forking loop would result in such a thing - that's > weird, unexpected behavior. > a CVE ID was requested for this issue. > > -- MustDie > Senior Lead Expert Security Researcher
Hi 1337 r3s34|2ch3|2, Yeah, you're right! Bash should analyse the bash script, given parameters to programs and alike and then change the amount to a reasonable value of 100000000 decimals. Btw - have you yet alerted the world of fork bombs, at all?! We're waiting in awe. Regards _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
