Closed Bug 1226990 Opened 10 years ago Closed 10 years ago

Firefox hang using prompt/window exhaustion

Categories

(Firefox :: Untriaged, defect)

Product:
Firefox
Component:
Untriaged
Version:
42 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1227357

People

(Reporter: qab, Unassigned)

Details

(Keywords: csectype-dos, hang, testcase)

Attachments

(2 files)

ff-hang.html
535 bytes, text/html
Details
WinDbg stacktrace, removed redundancies
234.72 KB, text/x-log
Details
Attached file ff-hang.html
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 Build ID: 20151029151421 Steps to reproduce: Using an interesting HTMLelement function 'click()' we are able to produce a reliable Firefox hang. 1. Open 'ff-hang.html' 2. Press button Actual results: Main firefox window goes away, firefox.exe is still running what seems like indefinitely. Only way to re-open firefox is to manually end the firefox.exe process. Expected results: No hang.
//(firefox.exe still runs and everytime we try to run firefox again the following error occurs) [JavaScript Error: ": Component returned failure code: 0x8046001e [nsIWindowWatcher.openWindow]" {file: "jar:file:///C:/Program%20Files%20(x86)/Mozilla%20Firefox/browser/omni.ja!/components/nsBrowserContentHandler.js" line: 193}]
If you view the source code, you will notice this is reliant on HTMLElement.click function and though this report has to do with hanging the browser, there are other smaller bugs that I feel I should point out. 1. If we execute .click() repeatedly (using any loop) on an anchor element that simply points to 'javascript:alert(1)' we can then through the .click() open up as many alert windows as we want (without the alert spam protector going off on any of them, that little checkbox to prevent further alerts) 2. We can spam the 'file download' dialog by setting a 'download' attribute to our spammed anchor tag that simply points to any data like 'data:q,q'. If we execute something like while(true){a.click()}, we can indefinitely spam the download dialogue. The possibilities here are endless, I will be doing more tests using other schemes, but its obvious to me the HTMLElement.click is the guilty culprit of all this. https://developer.mozilla.org/en-US/docs/Web/API/HTMLElement/click
Managed to find a way to actually crash firefox (after a few minutes of waiting) though even the crash reported did not appear. PoC: Using the same method described here except this time we will be adding the following to our spammed anchor tag:- elem.target='_BLANK'; elem.href=`javascript:while(true){location='javascript:alert(/@qab/)'}`; We will also disabled the .download attribute. Now we will spam the Click() event about 100 times we will crash firefox. Will be uploading stacktrace and second PoC soon.
Decided to report the crash version separately at: https://bugzilla.mozilla.org/show_bug.cgi?id=1227357 it includes the stacktrace
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Keywords: csectype-dos, hang, testcase
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: