Mozilla Firefox 1.0.7 DoS Exploit

An anonymous reader writes "Whitedust Security are reporting on a new exploit for Firefox which apparently affects all versions of the browser from 1.0.7 down. From the article: "If this exploit has made it out into, or indeed been retrieved from the wild is unknown at this time. However it is clear that this exploit will indeed need patching as soon as possible.""

totally off guard

[Tufriast]

I checked out the Mozilla site -- not a peep about it. I made a post there. I figure this one totally right hooked them. It's a pretty massive crash. Just makes the whole browser lock up. At least I know they'll fix it fast though...I think in 24 hours we'll see a turn around. Anyone try this with version 1.5?

Thunderbird also vunerable

[Big Nothing]

Mozilla Thunderbird 1.0.6 is also vunerable.

Re:totally off guard

[tbspit]

Version 1.5 is not affected.

Re:Brilliant header!

[Hey Pope Felcher . .]

. . . RTFA,

milw0rm.com have released proof of concept code for a denial of service exploit which apparently affects all versions of the Mozilla Foundations popular Firefox browser from version 1.0.7 downward.

Remember, on Slashdot always read the article, it is generally only a coincidence if the summary has any bearing on the actual linked text.

Re:is this NOT an OLD version

[pbranes]

1.5 is beta, dude. 1.0.7 is the latest final release of firefox. 1.0.7 is like 1 month old.

Tested the exploit

[jurt1235]

And after I clicked on it, nothing happened, the browser just said: mozilla

Apparently firfox 1.0.7 on linux is not affected. So not all versions of firefox are affected.
Advisory: Install linux, then restart your browser and have fun.

Re:Nomenclature...

[arkanes]

A Denial of Service attack denies you access to a service. It doesn't have to crash your box, or take it off the network. Anything that will hang or crash or flood a service (applications are services) is a DOS. They've been called that since before kiddies found out about pingflooding.

Re:totally off guard

[Anonymous Coward]

while I am sure firefox team will have this fixed soon, it will not help the majority of people, The majority of users to my sites that use firefox are still 1.05 or below. heck I even see 1.0 in my stats, if users aren't updating then mozilla security is failing. yes you can all argue it is users responsibility, but lets face the majority of users are dumb. updating needs to be made easier or firefox is doomed to be just another ie.

Exploit

[Anonymous Coward]

The exploit is:

<html><body><strong>Mozilla<sourcetext></body></ht ml>

and it also makes Mozilla suite 1.7.12 hang.

The sourcetext tag is used when a parser error occurs; the Mozilla DOMParser will accept any string and always returns a valid XML DOM object, but in the case that the string was malformed, it returns something like this:

<parsererror xmlns="http://www.w3.org/1999/xhtml">XML Parsing Error: mismatched tag. Expected: </strong>. Location: file:///1253.html Line Number 3, Column 37:<sourcetext> (text here) </sourcetext></parsererror>

which you may have seen formatted before in a nice red-on-yellow page.

Re:Brilliant header!

[ShadowFlyP]

TFA actually says that it affects 1.0.7 and everything downward. Running 1.0.7 here myself and the test exploit worked: locked Firefox right up.

PoC Code *is* in the wild

[OverlordQ]

Despite the article summary if you click through and read it you'd find that there is code out there.

Danger Will Robinson test your firefox [thedarkcitadel.com] Danger Will Robinson

Re:Brilliant header!

[FidelCatsro]

By fixing the article summary I imagine .
The patch seems to have been in the full article since conception , but apparently it hadn't passed down the line .
these exploits are dangerous as many Slashdoters refuse to update their knowledge by reading the full article and not just the summary

But...

[supersocialist]

...it shows an "update" icon, which updates when clicked. How much easier could it be without hijacking your system to do it for you?

Who cares?

[brunes69]

So clicking on a link can lock up the browser. So what?

How is this any different from this, which effectively locks up *all* current browsers?

<script>
while(true){
alert('Haha!');
}
<script>

This is hardly important. I don't see any way this can crash my machine or infect me with a trojan.

PS if you want a fix for the above vote for bug 61098] at bugzilla [mozilla.org].

Re:Brilliant header!

[LnxAddct]

Regardless, this exploit doesn't effect 1.5, it's in beta but technically the explot is already fixed... just needs to be back ported:)
Regards,
Steve

Re:Not too big a deal

[sqlrob]

Look at the source. It's an unclosed tag, so it's likely an infinite loop.

Secunia says "Not Critical"

[Mini-Geek]

assuming the Secunia Advisory [secunia.com] is referring to the same vulnerability linked to in the /. article, its Critical level is the lowest, Not Critical

Re:Nomenclature...

[m50d]

A browser that can be crashed is a very bad thing, but suggesting this is some sort of "Denial Of Service" attack, is just semantics. It doesn't crash the box, and it doesn't flood/break the network. Every other service on your machine runs as normal. That's not a Denial Of Service by the usual definition of the term.

Yes it is. If you did exactly the same thing to, say, apache or proftpd or mysql - don't crash the box, don't break the network, every other service runs normal - it would be a DoS. Calling this attack a DoS provides some very important information - it doesn't allow execution of arbitrary code, just locks up the browser. The only thing that's possibly unusual here is applying the term to a client rather than a server program, but a DoS is absolutely the correct term.

Re:Tested the exploit

[Stevyn]

I'm running firefox 1.0.7 on gentoo and it froze up. top showed 99% cpu usage just before I killed it. I also tried it on my ubuntu box with firefox 1.0.7 and it froze too. So it seems it's affecting firefox running on linux machines

Re:Not too big a deal

[Mattwolf7]

I followed your "Kill Your Browser" link clicked on everything. And this is the same window that was supposed to be killed... I dunno but those must be Windows specific, I am running Gentoo with FF 1.0.7

Re:Who cares?

[m50d]

How is this any different from this, which effectively locks up *all* current browsers?

It doesn't lock up links (which has a lovely "kill script" button on any javascript dialog) and I'm told opera will let you simply close the tab.

Re:But...

[Pneuma ROCKS]

...it shows an "update" icon, which updates when clicked. How much easier could it be without hijacking your system to do it for you?

Although I agree that it's pretty trivial to update Firefox, some users don't notice the icon, or don't recognize what it does. If they RTFM or just hovered over it they would, but many don't. Another con is the fact that you have to download the full Firefox installer and run it all over again. That is not very friendly.

Thankfully, the Mozilla folks have recognized this and have improved the update system significantly on the upcoming Firefox 1.5. The update system downloads a patch, not the full installer, and installs it on the background. Then it just notifies the user that the new version will be installed when he restarts the browser. That way even the average Joe can stay updated.

Re:Brilliant header!

[Anonymous Coward]

Parent , GP , GGP are not trolls . The summary was changed without note .

Re:Not too big a deal

[Kimos]

No crashes for me either using 1.0.7 on MS Win at work. I'll check Ubuntu at home. The pages are mostly a bunch of garbage inserted into HTML tags. I assume it just strips it out as nonsense.

Someone was saying that you could crash by calling a 1,000,000x1,000,000 table. There must be some safeguards in browsers to protect against that kind of thing aside from failed memory allocation from the OS, otherwise it would be simple to bring a system to its knees (not that it's really that hard already).

Re:How come...

[Politburo]

This always gets modded up and is INCORRECT. IE has the same privileges as the user that ran it. The main problem is that ActiveX allows any code to be run on the machine at the user's privileges instead of a sandbox.

Re:Brilliant header!

[DrSkwid]

Crashing can often be an indicator of a buffer overflow, it's just that the return address you crashed it with doesn't keep it running. Once an appropriate set of overflow values is deduced that leads to an exploit.

One of the approaches to finding buffer overflows in Closed Source software is to do pump loads of data into the inputs until the app crashes, then work backwards by constructing a payload to see if one can get it to jump somewhere known.

Re:Not too big a deal

[Anthracks]

None of them fazes 1.5 beta builds either as far as I can tell, at least on Windows 2000 here at work. No trouble at all loading any of those pages.

Re:Exploit

[kavin]

sounds like my bug (supposedly fixed in mozilla 1.8a4).

i found and reported the browser specific elements "parsererror" and "sourcetext" in september 2004: see mozbug 210658.

bugzilla.mozilla.org/show_bug.cgi?id=210658

you can see the browser specific elements in a source diff:

bonsai.mozilla.org/cvsview2.cgi?diff_mode=context& whitespace_mode=show&file=nsHTMLTags.cpp&branch=&r oot=/cvsroot&subdir=mozilla/parser/htmlparser/src& command=DIFF_FRAMESET&rev1=1.46&rev2=1.47

sadly, i don't believe this fix has been backported to firefox 1.0x.

- p

--
ps. my previous /. report on same:
http://it.slashdot.org/comments.pl?sid=68828&cid=6 295508 [slashdot.org]

Re:Brilliant header!

[NickFitz]

<pedantry>
Well, strictly speaking, unless 1.5 has been explicitly modified with the intention of fixing this exploit, it's just that it doesn't work on 1.5. It's entirely possible that a change in 1.5 has prevented the exploit from working but, as it wasn't done as a fix, a further change in 1.5.n (or 1.n where n > 5) will allow the exploit to work again. In other words, there may be no fix to back port.
</pedantry>

Re:Not too big a deal

[confuted]

None of them affected Firefox version 1.0.7 on Windows XP with SP2 here at work - they didn't even do so much as slow it down. Do those pages actually crash anybody's browser?

Re:Not too big a deal

[Blkdeath]

I followed your "Kill Your Browser" link clicked on everything. And this is the same window that was supposed to be killed... I dunno but those must be Windows specific, I am running Gentoo with FF 1.0.7

If you follow the README [steve.org.uk] URL, you'll notice that the bugs referenced were confirmed agianst 1.0.4 and older, but are all fixed in 1.0.7.

Try to keep the suppositions about Windows bugs to yourself unless you have even some inkling of understanding of the situation. It makes us all look bad.

Re:totally off guard

[mrgavins]

Maybe because it's already fixed? Maybe because it's hardly a security issue? This is bugzilla bug 210658 [mozilla.org], it was filed in 2003, and fixed for 1.5 15 months later.

RTFA

[einhverfr]

Ok, you might be a troll, or flamebait, but it is worth a response...

This discussion is not any different than it would be if it was about IE. There are always those saying "no big deal" about IE security flaws, and plenty of people screaming blood on this conversation. Maybe the balance is slightly altered because so many of us have been burned by IE though....

Having said that.... This is no big deal. Even TFA says "This is not an advisory, just a comment" indicating that the authors don't think it is a big deal either.

Re:The operative word is "attack".

[SuperJason]

If I set up a bear trap to get you, and you step into it, it is an attack. Same thing with laying landmines to stop advancing troops. I guess it's debateable, but I think it's an attack if it's a trap that you are unaware of, and that someone set up to "attack" you.

Re:Nomenclature...

[gowen]

i) Web browsing isn't a server process, it's a client process.
ii) You can kill the browser and go to another web page. Hell, you can just start another instance of the web browser. Which must take all of three nanoseconds.

If you prevent login, or send a SYN flood that prevents http connections, you can't just restart the appropriate service. If you really can't see why causing a client to crash is different from preventing a server from functioning, I suggest you look in some elementary computer science textbooks.

I don't have time any more time to explain the basics to fools.

Whitedust and DoS

[thetoastman]

This hardly counts as a DoS [wikipedia.org] attack in its traditional meaning. However it is an annoying bug. I am glad to read that it has been addressed in the latest beta.

What follows is probably an ad hominem [wikipedia.org] attack. Moderate accordingly.

I decided to spend a little time on the Whitedust [whitedust.net] site. The site is advertised as "The Leading Independent Security News Portal".

The site is run by a group of former crackers. Of course one has to wonder about their cracking, security, and business skills when:

• They advertise their many connections within the underground hacker scene
• They leave the administrative link to their PHP web site in the footer of every page
• Their business writing would fail my mom's 7th grade remedial English class

In short this web site has no redeeming value.