Closed Bug 298034 Opened 19 years ago Closed 19 years ago

CRITICAL EXPLOIT: Malformed IMG tag can cause opreating system STOP error.

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 289864

People

(Reporter: CoJaBo-Bugzilla, Unassigned)

References

(
URL
)

Details

Attachments

(1 file)

Copy of exploit page and the image file.
176.11 KB, application/zip
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1

The tag "<IMG SRC="AYB-school.jpg" width="9999999" height="9999999" />" can
cause the video device driver to hang, causing a STOP(Blue Screen of Death) error.
This has been tested on Win XP home using Firefox 1.0.1;
and on Win XP home using Firefox 1.03, Firefox 1.04, and Internet Explorer
(latest version).
The exploit is way too easy to use, as it only requires an unsuspecting victim
to visit the page.
This can be acomplished by either by posting the link somewhere or,
like what happened to me, cracking the hompage of a website (for example my
website) and replacing it with a page that redirects to the exploit.

Reproducible: Always

Steps to Reproduce:
*WARNING* following the steps results in an operating ststem crash, be sure to
SAVE ALL DATA before continuing! The complete URL to the file was not included
to prevent any accidents, follow the steps below to get to the page.
This is the page that the redirect that was put on my website led me to.
1. Go to "http://www.scene.org:8080/redhound/"
2. Click "crash.html"

Actual Results:  
The system froze for several seconds, then displayed a STOP error.

Expected Results:  
There should be a reasonable size limit on the size of images to prevent this
from happening.
Firefox should have displayed the image at a reasonable maximum size.

This should also be reported to makers of other browsers, as it works on IE, and
probably works on other browsers.
This has also been reported to Symantec.
*WARNING* this results in an operating ststem crash, be sure to SAVE ALL DATA
before continuing! The file crash.html has been renamed to crash.txt, rename it
back to crash.html to test it.
The image file is, as far as I know, harmless. It is the IMG tag that causes
the crash.
This trick is making the rounds. It's fixed in the Deer Park Alpha 1 release.

*** This bug has been marked as a duplicate of 289864 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: