Open Bug 1317573 Opened 8 years ago Updated 2 years ago

Browser (parent) hang due to spawning setTimeouts/re-navigating

Categories

(Core :: DOM: Core & HTML, defect, P3)

Product:
Core
Component:
DOM: Core & HTML
Version:
49 Branch
Type:
defect

Tracking

()

People

(Reporter: mishra.dhiraj95, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-dos, hang, testcase, Whiteboard: [sg:dos])

Attachments

(1 file)

POC-MOZILLA.ZIP
240.86 KB, application/zip
Details
Attached file POC-MOZILLA.ZIP 
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:49.0) Gecko/20100101 Firefox/49.0
Build ID: 20161019084923

Steps to reproduce:

* Visit : http://hackies.in/spoof.html
* Hit Go
*  Address bar says facebook.com;
    Content is not facebook.com.
* While closing the Tab Browser crashes.


Actual results:

VULNERABILITY DETAILS
Address Spoofing:
    Address bar says facebook.com;
    Content is not facebook.com.

URL :  http://hackies.in/spoof.html


Expected results:

For crashes please include the following additional information attached POC below.
Summary: Mozilla Address Spoofing with unresponsive page Firefox crashes. → Mozilla Address Spoofing Firefox crashes.
The timer setTimeout() is actually set to 4 seconds. Locally, the spoofed content gets displayed for the time mention in the code (Time value van be extended) to make the spoof page stable.
However by closing the spoofed tab the browser crashed.
In my attempts to repro, the page always goes blank after a short delay, both on Linux and Windows. I'm sure that it's possible to tweak the parameters to DoS the browser and delay the blank paint, but that's fragile and is unlikely to work well across machines.

Thank you
This isn't really spoofing -- you've hung the browser on the way to navigating, and there's always a brief period where the new URL is shown on top of the old content.

The hang is a denial of service that would be worth looking at.
Blocks: eviltraps
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: csectype-dos, hang, testcase
Summary: Mozilla Address Spoofing Firefox crashes. → Browser (parent) hang due to spawning setTimeouts/re-navigating
Whiteboard: [sg:dos]
Hi Daniel , 

Any update on this bug !
Flags: needinfo?(dveditz)
Group: firefox-core-security
Flags: needinfo?(dveditz)
User Agent:  Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:53.0) Gecko/20100101 Firefox/53.0

I have tested this issue on Windows 10 x64 with the latest Firefox release (50.1.0) and the latest Nightly (53.0a1-20170108030212) with e10s enabled/disabled and managed to reproduce it following the steps described in the description.
When hitting the "Go" link, the pop-up window with the content is displayed and the browser hangs.

I was able to get a cleopatra profile:
https://new.cleopatra.io/public/aa812b7b5312e15fb4e94dc56d8e0e3c35eab074/calltree/?thread=0

Moving this to Core:DOM, perhaps there's someone with extensive knowledge on this area that might be able to help here.
Component: Untriaged → DOM
Product: Firefox → Core
Olli, should we be disallowing the setInterval() callbacks here after `window.location.replace()` navigation begins?
Flags: needinfo?(bugs)
If inner window is still the old one, why would we do that?

But don't we in this case anyhow keep the original page which just keeps adding more and more timeouts, or am I missing something here.
Flags: needinfo?(bugs)
Priority: -- → P3
I see a popup with the facebook.com in the url bar, and no content in the page instead of the facebook.com content.

But I don't get a browser hang.
It does take up quite a bit of CPU power.  Tested in Firefox 58.0.1 on OSX.
Component: DOM → DOM: Core & HTML
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: