Closed Bug 1464623 Opened 6 years ago Closed 6 years ago

Plaintext based DoS via Khmer characters

Categories

(Core :: Graphics: Text, defect, P3)

Product:
Core
Component:
Graphics: Text
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: masatokinugawa, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-dos, hang, testcase, Whiteboard: [sg:dos][gfx-noted])

Attachments

(1 file, 1 obsolete file)

chromefx_khmer_dos.html
137 bytes, text/html
Details
Attached file chromefx_khmer_dos.html (obsolete) — 
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Build ID: 20180526100113

Steps to reproduce:

1. Navigate to https://l0.cm/chromefx_khmer_dos.html or open the attached .html file
This page writes 256 U+17B7's from the following code:

<script>document.write("\u17B7".repeat(256))</script>

2. The page will freeze.


This bug affects all applications which treat user-generated text (e.g. chat application, email application etc.). An attacker can disable victim's application permanently just by sending crafted Khmer characters. I think that such a plaintext based DoS is more worse than normal DoS. Thus, I reported it as a security bug.

Apparently Chrome has the same issue. I reported here: https://bugs.chromium.org/p/chromium/issues/detail?id=847034

I confirmed the following characters also cause DoS:
U+17B7 - U+17C5
U+17C8
U+17CB
U+17CD - U+17D1
U+17D3
U+17DD


Actual results:

The page is not rendered properly.


Expected results:

The page should be rendered properly.
Group: firefox-core-security → gfx-core-security
Component: Untriaged → Graphics: Text
Product: Firefox → Core
The attached .html file was wrong. I uploaded correct file.
Attachment #8980919 - Attachment is obsolete: true
On what OS/Version? Your user agent says Win10 and I couldn't really reproduce, at least not "worse than normal DOS". The page hangs, but the UI stays responsive and the CPU usage was minimal (with e10s of course). Maybe depends on the Windows locale, or installed fonts?

On Mac there was no problem at all: string rendered fine.
Flags: needinfo?(masatokinugawa)
See Also: → https://bugs.chromium.org/p/chromium/issues/detail?id=847034
>On what OS/Version?
I forgot to write this. I tested on:
fully patched Win10
Android 8.1.0

I also couldn't reproduce it on Mac.

>The page hangs, but the UI stays responsive and the CPU usage was minimal
You've already reproduced the problem. In this DoS, Firefox does not crash. It's hang only.

>at least not "worse than normal DOS"
The point is that this bug can be abused by using only "text". JS/HTML/CSS is not needed.
We can abuse this bug just by putting the text here(Bugzilla), like this:

[U+17B7][U+17B7]...(256 times)

If someone does so, you can no longer open this page with Firefox on Windows/Android.
Flags: needinfo?(masatokinugawa)
Group: gfx-core-security
Keywords: csectype-dos, hang, testcase
Whiteboard: [sg:dos]
Jonathan,

This is happening because in Khmer shaper we enabled unlimited matras in the grammar...  I'm investigating.
Actually, the safe-guard was already in the Indic shaper.  We inadverently removed it when forked Khmer shaper.
Fixed:
https://github.com/harfbuzz/harfbuzz/commit/7b8dfac560abe89d48cfc2f6efb4a61820bd28bf

I'm currently in Iran.  Will make release next week.
The fix would have been pulled in by one of the recent harfbuzz updates we landed.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Priority: -- → P3
Resolution: --- → INVALID
Whiteboard: [sg:dos] → [sg:dos][gfx-noted]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: