Closed Bug 771622 Opened 12 years ago Closed 11 years ago

An Html page can crash mozilla firefox (document.write causing OOM abort / 100% CPU)

Categories

(Firefox :: General, defect)

x86
All
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 612029

People

(Reporter: buginfirefox, Unassigned)

Details

(Keywords: csectype-dos, csectype-oom, sec-other)

Attachments

(3 files)

User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.11 (KHTML, like Gecko) Chrome/20.0.1132.47 Safari/536.11

Steps to reproduce:

I'm writing to you for inform about a bug in firefox. It crash loading a special html page.

It is similar to "Bug 312588 - Firefox crash accessing the page"


Actual results:

It works in linux and windows with the last version of firefox or older, but Crome and IE are not affected.

It caused instantaneously 100% cpu usage, the instant crash of the program  and memory exaustion in some time dependeing of de memory and causing and causing a denial of service in the system.

Please, could you send me some info about bug bounty program for this kind of bugs? I'm thinking in not publish it.

I sent the details of the crash and my email address (this one) throught the form which appears when the crash is done.



Expected results:

The load of the web page.
Severity: normal → critical
Component: Untriaged → General
OS: Windows XP → All
could you please go to about:crashes in your firefox and give us the report ID of the crash?

If you could also let us know the following:
* What add-ons / extensions are installed?
* Full platform information (os, service pack, etc)
* What version of firefox you tested
Hi,

The problem is similar to an old bug (Firefox crash accessing the page), when a java code is added in an HTML code, firefox crash and it will cause DDOS in the client side.

No add-ons or extensions installed (is a problem in the core with java).

Texted in linux (backtrack) and windows xp Sp3.

Texted in firefox version 13.0.1 and olders.

I have a proof of concept, I will add it as an attachment to the bug only if it's necessary. It will be very funny for the script kiddies causing ddos in a web chat or playing on-line games, etc. becouse it's easy to crash firefox only sending a link to a web page which crash it. 

But I like to use firefox and I want to improve it, by this I'm sending to you the less dangerous code and info confidentially. I know about another more powerfull codes but I'm testing on it. I don't want to send my best proof of concept for security cuestions, but I have one and I'm working in to improve it.

You only have to put this code between de </body> and the </HTML> tag of a web page:

<script type="text/javascript">
var curInnerHTML = document.body.innerHTML;
curInnerHTML = curInnerHTML.replace(/\&amp;/g,'&');
document.body.innerHTML = curInnerHTML;
document.write(curInnerHTML);
</script>

<script type="text/javascript"> 
window.onload = clear(); 
function clear() { 
document.body.innerHTML = document.body.replace(/\&amp;/g,'&'); 
} 
</script>

I think that only the first javascript is neccesary for crash firefox, but the content of the page betwen the <body> and </body> tags is very important for cause a fast memory consuption and DDOS the system, becouse it is constantly reloading de body content and charging the cpu and system memory the second javascript will help to do it faster (some other java and HTML codes will help too).

In linux testing the memory overcharging, I show a posible buffer overflow, becouse when it's close to overload the memory it turned unestable and the ramp of memory charge started to go up and down sudently, it will occurs in 10 minutes or more depending of the system memory and de content between <body> and </body> tags and some seconds later the system colapse.

For fix the problem firefox only must reload the body of a web page a maximun number of times, and not in an infinite loop. 

I found it programming a javascript code.
If you need more information, please contact with me.

Regards.
David.
Using document.write to exhaust client resources is a known problem.

Do you see any crash stack that isn't just an intentional out-of-memory
abort?  If so, please attach the HTML file demonstrating the crash.
Keywords: sec-other
Summary: An Html page can crash mozilla firefox → An Html page can crash mozilla firefox (document.write causing OOM abort / 100% CPU)
Attached file Firfox Fast Crash.
With this file firefox crash fast.
Attached file Firefox slow crash.
With this file Firefox crash slowly.
If you need more info contact with me.
Can you attach the stack trace for the crash?
Here's the stack I get in a trunk debug build on Linux64.
It's a safe OOM abort.  I also got the "Unresponsive Script"
warning dialog before that, so everything works as expected
as far as I can tell.
It can DDOS the client system, with a heavy HTML code firefox crash, but with a low HTML file the system overload during a long time can cause a reboot by the user, becouse most of the users don't know how to kill the firefox process and the user can't open any program by the memory exhaustion in windows xp. 

With a linux live distro it's easy kill the firefox process and stop the overload of the system, but it the users don't do it, the Linux live distro can colapse in a sort time.

With a powerfull computer, probably the system never will crash, only Firefox.
Yes, but we're already aware of that, so unless you have a testcase that
cause a crash that isn't an out-of-memory abort this is just a dupe of
bug 112858 or something.
Group: core-security
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: csec-dos
Keywords: csec-oom
An scriptkiddie published a variant of this code, but less powerfull, some days ago, afther you open this vulnerability to all the world:

http://packetstormsecurity.org/files/115648/Mozilla-Firefox-14.01-Denial-Of-Service.html

The vulnerability described in this post can be used against firefox v15.0.1

The bug bounty program don't work.
Firefox v16.0.2 is vulnerable too, please check and fix de bug.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: