1362752 - DoS – GNU/Linux – Moderate / High

Status: UNCONFIRMED

(Core :: DOM: Core & HTML, defect, P3)

Description

[josecarlos.garciaortega]

Attachment: FirefoxDoSLinux.odt

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:53.0) Gecko/20100101 Firefox/53.0
Build ID: 20170421105455

Steps to reproduce:

Moderate:
We can ran a big amount of workers to avoid warning messages from Firefox, then in every worker I ran:
	function eatmyram() {
        var res = new Uint8Array(0x7ffff000);
        for (var i = 0; i < 0x7ffff000; i += 1) {
            res[i] = 0;
        }
        return res;
    }
    
    var x = [];
    
    for(var i = 0;i < 100;i++) 
        x.push(eatmyram());
This code declare a big amount of data without limit, so the fully RAM is consumed, and then the system starts consuming swap, so the system goes slow.
In the other hand, we’re using workers, so our CPU goes crazy too because we’re using every available core at 100%.
PoC: http://www.freesoftmath.org/gopicnic.html (Click Go Picnic)

High:
Without using workers we’re going to see a warning after running the script, but in the following scenario is lethal:
- Suppose that you’ve got a tab opened and then you open in another tab the malicious crafted webpage.
- Imagine you close the tab before the process is ended.
- Then your computer goes totally freeze, and you won’t be able to do anything, you have to power off your computer.
PoC: http://www.freesoftmath.org/gopicnic2.html (Click Go Picnic wait a second, and then close the tab)


Actual results:

When I ran my exploit, my system goes completely freezes (temporally or while you don’t power off your computer) my CPU goes from 0 to 100% in every core (I’m using a 5th i7) and my memory RAM goes completely full (12 GB of RAM), and my swap too.


Expected results:

No freezes, and not crashing.

Comment 1

[josecarlos.garciaortega]

Tested on Mozilla for iOS and when I executed my payload, my browser goes unresponsive.

Comment 2

[josecarlos.garciaortega]

Tested http://www.freesoftmath.org/gopicnic.html on Mozilla Firefox 53 64 Bits for Windows, and the computer goes completely down (i have to restart my computer)

Comment 3

[Daniel Veditz [:dveditz]]

We do launch the slow script dialog (which is in DOM land, not JS iirc) if there's only one instance of the script (gopicnic2.html).

> Tested on Mozilla for iOS and when I executed my payload, my browser goes unresponsive.

Due to Apple's rules javascript execution has to happen in their built-in browser (webview). I would expect you get the same results from the default iOS browser.

Comment 4

[Thomas Nguyen (:tnguyen)]

Attachment: test.html

The test pages http://www.freesoftmath.org/gopicnic2.html and http://www.freesoftmath.org/gopicnic.html are dead. I tried to use the script in comment 0 to write a simple test. But FF 59 seems to be ok with that:
- I could see slow script in both worker and without worker
- Close the tab before the process is ended will stop consuming memory.

Comment 5

[Thomas Nguyen (:tnguyen)]

Attachment: test_worker.zip

Comment 6

[Tanvi Vyas[:tanvi]]

Are you still able to reproduce the issue?

Comment 7

[josecarlos.garciaortega]

Hello,
I have upload again my two scripts:

- https://www.freesoftmath.org/gopicnic-dos-browser-master/gopicnic/gopicnic_simple.html (KO)
- https://www.freesoftmath.org/gopicnic-dos-browser-master/gopicnic/gopicnic.html (OK)
 
The second one seems to be patched (That works with worker)
But without worker now still consuming a big amount of RAM.

I'm using Firefox 58.0.1 from Debian repositories.

Comment 8

[Tanvi Vyas[:tanvi]]

Thanks!

In Firefox 58.0.1 on Mac, I get a yellow info bar repeatedly:
"A webpage is slowing down your browser.  What would you like to do?"

Haven't tested on Linux.

Comment 9

[Tanvi Vyas[:tanvi]]

jkt to test in linux

Comment 10

[Johann Hofmann [:johannh]]

Seems to be recoverable with the hang dialog so no eviltrap.