Closed Bug 349392 (lastmeasure) Opened 16 years ago Closed 1 year ago

[meta] LastMeasure has been updated

Categories

(Firefox :: Security, defect)

x86
Windows XP
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: pile0nades, Unassigned)

References

()

Details

(Keywords: meta, Whiteboard: [sg:dos])

Attachments

(2 files)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b1) Gecko/20060817 BonEcho/2.0b1
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b1) Gecko/20060817 BonEcho/2.0b1

Someone posted the about url on a 4chan /b/ thread, and I opened it in a new tab. Don't ask me why, I just did. Last time I had seen LM it had no effect, because it tried to spawn flash popups but that doesn't work anymore. I then posted this:

"OP here. Do not go to that link. I nearly got haxed. It opened outlook express, the internet connection wizard, and chatzilla and I can only assume tried to log me on to gnaa's irc channel. had to kill my pc."

I am using Bon Echo nightly builds. If this happened to me, it probably affects 1.5.0.6 and below too. I have no idea how it works. I've uninstalled ChatZilla for the moment though.




Reproducible: Always

Steps to Reproduce:
1. Visit url
2. 
3.

Actual Results:  
Outlook Express, Internet Connection Wizard, and Chatzilla opened. No idea what else it does/tries to do.

Expected Results:  
That shouldn't happen.
Also, I have Flash player 9.
I downloaded this with Free Download Manager, because I'm not going back there in Firefox.
using wget -p, I see 

' + str + '
LastCoffee.class
favicon.ico
gnaa.png
index.html
index.php@steal=1&key=ffffffffbb17aa3e8884d899
index.php@steal=1&key=ffffffffbb17aa3e8e1b61fd
index.php@steal=1&key=ffffffffbb17aa475506370f
index.php@steal=1&key=ffffffffbb17aa4c3eb79f87
jews.wmv
lm.pdf
robots.txt

index.php's are the same except for the key used. index.html doesn't look all that different from what we've seen before using protocols, iframes etc. 

There "maybe" exploits used in java, wmv, pdf. What plugins and their versions do you have installed? You can find them by typing about:config into the url bar. Be _sure_ to include the version numbers.
(In reply to comment #4)

Crap, everything looks up to date. Windows media doesn't report a version, can you check its version and if you have up to date patches for it and windows? I guess I get to try my vmware sandbox on this one.
OK that text file is hard to wade through, sorry about that. Here's My Config done by MR Tech Local Install:

Generated: Sun Aug 20 2006 09:00:05 GMT-0400 (Eastern Daylight Time)
User Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1b1) Gecko/20060817 BonEcho/2.0b1
Build ID: 2006081703

Enabled Extensions: [19]
- All-in-One Sidebar 0.7 RC 4: http://firefox.exxile.net/aios/
- CacheViewer 0.3: http://park2.wakwak.com/~benki/
- ChatZilla 0.9.75: http://chatzilla.hacksrus.com/
- CoLT 2.1: http://www.borngeek.com/firefox/colt/
- Console² 0.3.5.4+: http://forums.mozillazine.org/viewtopic.php?t=318102
- DOM Inspector 1.8.1b1: http://www.mozilla.org/projects/inspector/
- FlashGot 0.5.95.060611: http://flashgot.net
- FoxyTunes 1.9: http://www.foxytunes.com/
- Gmail Manager 0.5: http://www.longfocus.com/firefox/gmanager/
- Greasemonkey 0.6.5.20060727: http://greasemonkey.mozdev.org/
- Menu Editor 1.2.1: http://menueditor.mozdev.org/
- MR Tech Local Install 5.2: http://www.mrtech.com/extensions/local_install/
- OpenBook 1.3.4: http://www.chuonthis.com/extensions/
- Stylish 0.3.9.20060806: http://userstyles.org/stylish/
- Tab Mix Plus 0.3.0.60819: http://tmp.garyr.net
- Talkback 2.0b1: http://talkback.mozilla.org/
- Update Channel Selector 1.0.1: http://users.blueprintit.co.uk/~dave/web/firefox/updatechannel/index.html
- userChrome.js 0.7: http://forums.mozillazine.org/viewtopic.php?t=397735
- XPather 1.0.1: http://xpath.alephzarro.com/

Installed Themes: [5]
- Charamel 1.2.0.1: http://www.charamel.ca
- Firefox (default): http://www.mozilla.org/
- glowyblue 2.4: http://glowplug.bitasylum.net/
- Pinball for Fx 2.0a/3.0a (Ayakawa Rev.) 1.9.21: http://marilab.hp.infoseek.co.jp/firefox/index.html
- QuBranch 1.0.20060809: http://www.schrade.com/firefox/themes/

Installed Plugins: (21)
- Java(TM) 2 Platform Standard Edition 5.0 Update 8: NPJava13.dll
- Java(TM) 2 Platform Standard Edition 5.0 Update 8: NPJPI150_08.dll
- Java(TM) 2 Platform Standard Edition 5.0 Update 8: NPJava12.dll
- Java(TM) 2 Platform Standard Edition 5.0 Update 8: NPJava32.dll
- Java(TM) 2 Platform Standard Edition 5.0 Update 8: NPJava11.dll
- Java(TM) 2 Platform Standard Edition 5.0 Update 8: NPJava14.dll
- Java(TM) 2 Platform Standard Edition 5.0 Update 8: NPOJI610.dll
- Microsoft® DRM: npdrmv2.dll
- Microsoft® DRM: npwmsdrm.dll
- Mozilla Default Plug-in: npnul32.dll
- QuickTime Plug-in 7.1: npqtplugin3.dll
- QuickTime Plug-in 7.1: npqtplugin4.dll
- QuickTime Plug-in 7.1: npqtplugin5.dll
- QuickTime Plug-in 7.1: npqtplugin.dll
- QuickTime Plug-in 7.1: npqtplugin2.dll
- RealPlayer Version Plugin: nprpjplug.dll
- RealPlayer(tm) G2 LiveConnect-Enabled Plug-In (32-bit) : nppl3260.dll
- Shockwave Flash: NPSWF32.dll
- Shockwave Flash: NPSWF32.dll
- Shockwave for Director: np32dsw.dll
- Windows Media Player Plug-in Dynamic Link Library: npdsplay.dll

I'm gonna do a Windows Update now.
It still didn't report the version of Windows media player. Can you open it, look in Help->About? It should report Version: 10.00.00.4036 or something like that.
WMP version is 10.00.00.4036.

Just did Windows Update, went to the url again, OE and ChatZilla still open. What's Worse, Esc or Alt F4 wouldn't work to close anything, so I had to do a hard shut down again.
Opening Outlook Express and Chatzilla sounds like bug 334426.  I don't know about Internet Connection Wizard but it's probably also a protocol handler for something.

Dup of bug 334426?
LastMeasure isn't exactly secret so there seems little point in hiding a bug about it.
Group: security
Since this one contains the source I'm confirming this and duping 356638 here.
Status: UNCONFIRMED → NEW
Depends on: 167475, 334426
Ever confirmed: true
Duplicate of this bug: 356638
Duplicate of this bug: 390463
Duplicate of this bug: 395737
Whiteboard: [sg:dos]
Just found a variant of this which trampled Firefox 3.6, all attempts to shut down the browser normally were pretty unsuccessful. Had to force kill the process in order to end the madness.
Depends on: 550196
Alias: lastmeasure
Keywords: meta
Summary: LastMeasure has been updated → [meta] LastMeasure has been updated

Hello Daniel is this meta bug still available for the latest firefox builds? If not can we close it with some resolution?

Flags: needinfo?(dveditz)

This testcase and the one in bug 550196 no longer work (except an annoying repeated prompt to launch IRC -- although that could actually launch IRC if a user set it to launch every time). Easily closed and stopped.

We have the "eviltraps" bug as our meta bug for this kind of issue. Doesn't need to be specific to "Last Measure" which I haven't seen in a long time.

Status: NEW → RESOLVED
Closed: 1 year ago
Flags: needinfo?(dveditz)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.