Open Bug 685168 Opened 14 years ago Updated 2 years ago

XML expansion attack through Javascript leads to crash

Categories

(Core :: XML, defect)

Product:
Core
Component:
XML
Platform:
x86_64
Linux
Type:
defect

Tracking

()

People

(Reporter: gfahrner, Unassigned)

Details

(Keywords: crash, csectype-dos, testcase)

Attachments

(3 files, 3 obsolete files)

expansion_attack.xml
177.48 KB, application/xml
Details
test.html
532 bytes, text/html
Details
Right XML file
183.54 KB, text/xml
Details
Attached file HTML_XML.txt (obsolete) —
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:6.0) Gecko/20100101 Firefox/6.0 Build ID: 20110825133144 Steps to reproduce: Load a XML file containing an expansion attack with an XMLHttpRequest call. Same effect with nested entities infinite loop. Actual results: Linux : Firefox crash, system is unusable (need to restart X) Windows XP / Seven : firefox crash, system is slow but usable All tested version are affected : 3.6.14 / 6.0 / 6.0.1 Firefox is unusable : immediate. Delay for crash is between 10 and 60 seconds. Expected results: Protection against XML expansion attack as if the XML file was loaded directly.
Attached file test.html (obsolete) —
Attached file test.html
now with proper domain.
Attachment #558832 - Attachment is obsolete: true
Attached file Right XML file
Attachment #558887 - Attachment mime type: application/octet-stream → text/xml
Funny thing : first XML file provided (with the first entity define as empty) is not detected as a recursion when access directly (without javascript) and also lead to a (less violent) DOS.
Attached file POC (obsolete) —
New (good) test file.
Attachment #558819 - Attachment is obsolete: true
Attachment #558909 - Attachment mime type: text/plain → text/html
Comment on attachment 558909 [details] POC Does not work on bugzilla...
Attachment #558909 - Attachment is obsolete: true
Working POC : http://www.root-me.org/bug_id_685168/poc.html
Definitely confirmed. Since it's sucking up so much memory I had to kill it before it crashed so I don't know if it's going to be stack exhaustion, OOM, or maybe something bad in expat. The stack I saw when I killed it was in DOM node insertion, but the ultimate crash might be later/elsewhere. Peter: please check whether this is a DoS or worse.
Assignee: nobody → peterv
Status: UNCONFIRMED → NEW
Component: Security → XML
Ever confirmed: true
Product: Firefox → Core
QA Contact: firefox → xml
It's a memory exhaustion DOS. Firefox will fail trying to allocate memory through mozalloc() call wich lead to INT3 / ERROR_NOT_ENOUGH_MEMORY and "Access Violation when reading 0x00000000". Does not seems to be exploitable for remote exec (imho).
Component: XML → Security
Product: Core → Firefox
Group: core-security
Component: Security → XML
Keywords: crash, testcase
Product: Firefox → Core
Whiteboard: [sg:dos]
Severity: normal → critical
Severity: critical → S2

I don't think a DOS is a huge deal that needs to be S2. It did make the parent process stop responding when I tried to exit, at least in a debug build, so that's something.

Assignee: peterv → nobody
Severity: S2 → S3
Keywords: csectype-dos
Whiteboard: [sg:dos]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: