hang with lots of nested <marquee>s

NEW
Unassigned

Status

()

--
critical
10 years ago
7 years ago

People

(Reporter: mustlive, Unassigned)

Tracking

({hang})

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos], URL)

Attachments

(1 attachment)

(Reporter)

Description

10 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.7) Gecko/20050414
Build Identifier: This is UA of my favorite Mozilla 1.7.x :-)

When I wrote to Mozilla in October 2007 by email (as do everyday when informing web developers and admins of sites about vulnerabilities) about hole in Mozilla (old) and Firefox (old and new 2.0) my letter was ignored and hole not fixed. So for this hole, which I found recently, I decided in addition to sending of email, also write to bugzilla. Here is text of my letter.

Hello Mozilla!

I want to warn you about Denial of Service vulnerability in Mozilla Firefox.
 
DoS:
 
http://websecurity.com.ua/uploads/2008/Firefox%203%20DoS%20Exploit.html
 
With this exploit browser takes 100% of CPU and freeze (while overloading computer).
 
Vulnerable version is Mozilla Firefox 3.0.1 and previous versions. I tested it in Mozilla Firefox 3.0.1 and in one old version of Firefox, so it's possible that all versions of Firefox are vulnerable (as also other browsers on Mozilla's Gecko engine).
 
I mentioned about this vulnerability at my site (http://websecurity.com.ua/2421/). This vulnerability is similar to DoS hole in Google Chrome (http://websecurity.com.ua/2409/) which I wrote about on last week.
 
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

Reproducible: Always

Steps to Reproduce:
1. Run my exploit (http://websecurity.com.ua/uploads/2008/Firefox%203%20DoS%20Exploit.html).
Actual Results:  
Browser takes 100% of CPU and freezes.

Expected Results:  
Not taking 100% of CPU and not freezes.
If you've published details of this on your site, there's no need for it to be security-sensitive.
Component: Security → Layout
Product: Firefox → Core
QA Contact: firefox → layout
Summary: DoS vulnerability in Mozilla Firefox → hang with lots of nested <marquee>s
I filed bug 454465 for the fact that the testcase is crashing in current trunk build again.

I think this bug as filed is basically a duplicate of bug 239840.

Comment 4

10 years ago
"One-time DoS" bugs in web browsers, such as hangs, are not considered security holes.
Group: core-security
Keywords: hang
(Reporter)

Comment 5

10 years ago
Hello Mozilla!

Recently, 19.09.2008, I made my new project <a href="http://websecurity.com.ua/2453/">Day of bugs in browsers</a>. Where I published many vulnerabilities in different browsers. To remember browsers developers to attend to security of their applications.

Here are the list of holes:

DoS vulnerabilities in Firefox, Internet Explorer and Opera (http://websecurity.com.ua/2454/)
DoS vulnerabilities in Firefox, Internet Explorer, Opera and Chrome (http://websecurity.com.ua/2455/)
DoS vulnerabilities in Firefox, Opera and Chrome (http://websecurity.com.ua/2456/)

I'll wrote details (in English) of these holes to Mozilla by email soon. Hope Mozilla will receive, respond and fix these holes (as Mozilla received and responded this time, not like year ago, as I wrote before). So for now I'm not planning to post these new holes into Bugzilla, but if there will be no response, I'll think about posting them to your bagtrack.
(Reporter)

Comment 6

10 years ago
Jesse Ruderman.

1st, it's not just hang, because the amount of nested marquees can be made very large which will completely freezes Firefox at any computer (with any hardware, even powerful computers).

2nd, when I wrote to Mozilla (in September 2008), Dan Veditz answer me and confirmed that this is security vulnerability.

You just need to fix it (which you didn't do for now).
(Reporter)

Comment 7

10 years ago
Mozilla!

About this vulnerability I must note, that you not only didn't fix it, but also made this DoS hole more dangerous.

As I wrote at my site (in January) about DoS vulnerability in SeaMonkey (http://websecurity.com.ua/2820/), this issue with nested marquees works in SeaMonkey. And it crashes completely. And as wrote (in February) Thierry Zoller (http://securityvulns.ru/Vdocument307.html), Firefox 3.0.6 also crashes completely.

I checked my exploit for Firefox (which makes CPU overload DoS in Firefox 3.0.1) and confirmed that it crashes Firefox 3.0.6. And recently I also checked my exploit in Firefox 3.0.9 and found that browser freezes completely. So hole still exists.

You need to fix this vulnerability, as others which I wrote you about (by email). And also Properties not-inheritance vulnerability in Mozilla Firefox (https://bugzilla.mozilla.org/show_bug.cgi?id=493858), which I posted to bugzilla recently.

Updated

10 years ago
Whiteboard: [sg:dos]
Depends on: 454465
Status: UNCONFIRMED → NEW
No longer depends on: 454465
Ever confirmed: true

Comment 8

8 years ago
(In reply to comment #1)
> Created attachment 337715 [details]
> reporter's testcase
> 
> The current contents of
> http://websecurity.com.ua/uploads/2008/Firefox%203%20DoS%20Exploit.html

Crashes my Firefox 4.0b7 on 32 bit Windows 7.

Comment 10

8 years ago
Comment 9 is a too-much-recursion crash (not exploitable).

Comment 11

8 years ago
For what it's worth, this makes my plugin container crash while trying to access 00022272, which doesn't really seem right.
You need to log in before you can comment on or make changes to this bug.