CRITICAL EXPLOIT: Malformed IMG tag can cause opreating system STOP error.

VERIFIED DUPLICATE of bug 289864

Status

()

Firefox
General
--
critical
VERIFIED DUPLICATE of bug 289864
13 years ago
13 years ago

People

(Reporter: CoJaBo, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.6) Gecko/20050225 Firefox/1.0.1

The tag "<IMG SRC="AYB-school.jpg" width="9999999" height="9999999" />" can
cause the video device driver to hang, causing a STOP(Blue Screen of Death) error.
This has been tested on Win XP home using Firefox 1.0.1;
and on Win XP home using Firefox 1.03, Firefox 1.04, and Internet Explorer
(latest version).
The exploit is way too easy to use, as it only requires an unsuspecting victim
to visit the page.
This can be acomplished by either by posting the link somewhere or,
like what happened to me, cracking the hompage of a website (for example my
website) and replacing it with a page that redirects to the exploit.

Reproducible: Always

Steps to Reproduce:
*WARNING* following the steps results in an operating ststem crash, be sure to
SAVE ALL DATA before continuing! The complete URL to the file was not included
to prevent any accidents, follow the steps below to get to the page.
This is the page that the redirect that was put on my website led me to.
1. Go to "http://www.scene.org:8080/redhound/"
2. Click "crash.html"

Actual Results:  
The system froze for several seconds, then displayed a STOP error.

Expected Results:  
There should be a reasonable size limit on the size of images to prevent this
from happening.
Firefox should have displayed the image at a reasonable maximum size.

This should also be reported to makers of other browsers, as it works on IE, and
probably works on other browsers.
This has also been reported to Symantec.
(Reporter)

Comment 1

13 years ago
Created attachment 186619 [details]
Copy of exploit page and the image file.

*WARNING* this results in an operating ststem crash, be sure to SAVE ALL DATA
before continuing! The file crash.html has been renamed to crash.txt, rename it
back to crash.html to test it.
The image file is, as far as I know, harmless. It is the IMG tag that causes
the crash.
This trick is making the rounds. It's fixed in the Deer Park Alpha 1 release.

*** This bug has been marked as a duplicate of 289864 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → DUPLICATE

Updated

13 years ago
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.