Large wpad.dat files cause Firefox to exhaust available memory

NEW
Unassigned

Status

()

6 years ago
6 years ago

People

(Reporter: francois, Unassigned)

Tracking

({csectype-dos})

17 Branch
x86_64
Linux
csectype-dos
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

6 years ago
Like bug 813864, this was publicly disclosed at the Kiwicon security conference last weekend.

In this case however, users don't have to connect to an attacker's website. They simply have to open Firefox while connected to a network that serves a hostile wpad.dat somewhere down the chain (assuming proxy auto-config is ON).

Steps to reproduce:

1. Configure Firefox to use proxy auto-configuration ("Auto-detect proxy settings for this network" under Preferences | Advanced | Network | Connection | Settings) then close it.
2. Add "127.0.0.1   wpad" to /etc/hosts on the local machine.
3. Create a 4GB wpad.dat file in /var/www/.
4. In the local web server config, set the mimetype of that wpad.dat file to application/x-ns-proxy-autoconfig.
5. Open Firefox.

On 16.0.2, Firefox hangs and the UI is not responsive at all.

On 17, Firefox does open fine and the UI is responsive, but its memory usage grows until it is killed from the command line. Exiting the browser doesn't seem to terminate the process. Also, browsing other websites doesn't seem to work while the large wpad file is downloaded/processed.
Since this was announced at a conference keeping the bug hidden isn't protecting anyone.
Group: core-security
Keywords: csec-dos
You need to log in before you can comment on or make changes to this bug.