Closed Bug 1444752 Opened 6 years ago Closed 6 years ago

DoS vulnerability with looped window.open() calls

Categories

(Firefox :: Untriaged, defect, P2)

Product:
Firefox
Component:
Untriaged
Version:
47 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 685828

People

(Reporter: ddwrtuuuu, Unassigned)

Details

Attachments

(1 file)

Firepwn-PoC-For-Mozilla-Security-Team.zip
797 bytes, application/java-archive
Details 
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:47.0) Gecko/20100101 Firefox/47.0
Build ID: 20160606114208

Steps to reproduce:

1. Download the attached zip file. (Firepwn-PoC-...Team.zip)
2. Unzip it.
3. Open exp.html (exp.js is the exploit code)
4. Wait 5-10 seconds.
5. Exploit runs. 


Actual results:

This bug will crash and/or freeze Firefox. (tested on Firefox 47, probably works on newer versions)
In Ubuntu, the Firefox window (for me) will darken and become unresponsive until force-quit. 


Expected results:

The software should do something along these lines. 
Firefox, should have a counter, that resets every, 15-30 seconds or so. When window.open() is called, it is incremented. If it gets to large, window.open() calls are not even blocked by the pop-up blocker, they are simply should get blocked at the time they're called; to reduce the DoS's impact.
Alias: firepwn
Severity: normal → minor
Keywords: wsec-dos
OS: Unspecified → All
Priority: -- → P2
Hardware: Unspecified → All
Summary: There is a DoS vulnerability in window.open(); → DoS vulnerability with looped window.open() calls
Isn't this a dupe of bug 685828 which in turn is a dupe of bug 675574 ?
Flags: needinfo?(ddwrtuuuu)
Looping window.open with user interaction is a known issue tracked in bug 675574, but looping window.open without user interaction was tracked in bug 685828 until we duped it during eviltraps triage.

I'm a bit confused about the state of "looping window.open crashes Firefox bugs", but this issue is certainly known, so duping forward to bug 685828.

Note that with e10s this problem isn't as bad as it used to be. 47 is an ancient version, Nightly is hitting 61 this week. With e10s enabled, the only problem seems to be the messaging overhead and/or the fact that we need to update chrome UI in real time, which makes the slow content process have an effect on the parent, but not unbearable on my machine. Maybe we should just start ignoring the notifications in browser.js after some threshold. That's not really what this bug is concerned with, though.

We should consider unduping bug 685828.
Alias: firepwn
Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
Flags: needinfo?(ddwrtuuuu)
Keywords: wsec-dos
But it also works on newer versions.
Attachment #8957949 - Attachment mime type: application/zip → application/java-archive
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: