Open Window/Tab DoS: infinite no of blank tabs continue to open for any extension set to open by firefox

RESOLVED DUPLICATE of bug 167320

Status

()

Firefox
Security
--
critical
RESOLVED DUPLICATE of bug 167320
9 years ago
9 years ago

People

(Reporter: Subere, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dos])

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.46 Safari/525.19
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729)

The security vulnerability occurs for any known content type that is identified under Options -> Applications Tab to open using firefox, i.e. either having set as an action to "Use Firefox" or "Use Other" and browse to file firefox.exe . 

If any such file is opened or clicked upon (e.g. mailto: link, .java file, etc.)  the browser proceeds in a never exiting loop to open an infinite amount of blank tabs (tabs not displaying anything), while constantly consuming more memory, until it crashes. 

A malicious attacker, knowing that any known content type is set to open using firefox, can cause remotely, a Denial of Service on the browser. This is achieved by getting the user to click, or open a file or location of the particular content type. Such an action will trigger in an infinite loop the constant opening of blank tabs. 



Reproducible: Always

Steps to Reproduce:
1. Open Firefox, go to "Tools" -> "Options" and select the "Applications" tab
2. In the "Content Type", select "mailto" and as action, select "Use Other"
3. Browse to the installation directory and select "firefox.exe", click ok
4. Select "OK" in the options panel
5. Browse to any page that has a mailto html link and click on it
6. The Open Tab DoS begins, opening an infinite amount of blank tabs
Actual Results:  
Firefox enters an infinite loop, continuously opening blank tabs or new blank windows, while consuming more memory. 

Expected Results:  
A single tab or window should open with the contents of the content type rendered by Firefox. 

In the case that the user has the option "New pages should be opened:" set to "a new tab" this attack can be stopped by clicking the stop button. 

If though the setting "New pages should be opened:" is set to "a new window" an infinite number of blank windows starts appearing! This could even result to an operating system Denial of Service, if the user does not select to kill the process in time. 

Also, closing an individual window does not appear to effect the continuous opening of blank windows. 

Finally this vulnerability has been replicated (following steps 1-6 above) on Windows XP and Windows 2008 Standard Server, using both Firefox 3.0.5 and Firefox 3.0.6 on both platforms.

Comment 1

9 years ago
How would you trigger this in a normal Firefox setup?  Are there any content types that Firefox cannot display internally, and yet Firefox has registered for?
Group: core-security
Whiteboard: [sg:dos]

Updated

9 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 167320
(Reporter)

Comment 3

9 years ago
I discovered this bug when attempting to de-register .java content types from opening in visual studio. The second option from the drop down menu of actions was to use firefox. Even though I've replicated it with many other content types, I have not investigated any other registered ones.
Status: RESOLVED → UNCONFIRMED
Resolution: DUPLICATE → ---
I assume the unduping was a mid-air collision. If it was on purpose please explain how this differs from bug 167320
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 167320
You need to log in before you can comment on or make changes to this bug.