Rendering large binary file as HTML makes Mozilla Firefox stop responding or crash

From: Peter Kruse (kruse_at_KRUSESECURITY.DK)
Date: 10/25/04

  • Next message: Philip Walley: "Getting pop up"
    Date:         Mon, 25 Oct 2004 11:00:25 +0200
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    CSIS Security Advisory: [CSIS2004-5)

    Rendering large binary file as HTML makes Mozilla Firefox stop responding or
    crash

    Date Published: 10.25.2004 (GMT)

    Summary
    ========
    Mozilla Firefox, Web-browser built for 2004, advanced e-mail and newsgroup
    client, IRC chat client, and HTML editing made simple. The Mozilla Firefox
    shippes with several bugs, making it possible to crash the browser, eat up
    virtual memory, simply by hosting a binary renamed as html, on a remote
    website.

    Vulnerability Class
    ===================
    The browser should remain responsive while displaying large files. Instead
    it crashes and hangs and feeds on virtual memory which could cause the
    operating system to become unstable.

    Details
    =======
    Internet Explorer, and other browsers, verifies the content of filetypes
    before opening in the browser. Based on the content of the file, it decides
    what application should be used to open/view the content of the file. This
    is, by design, not the case with Mozilla based browsers. A malicious website
    can host a large chunck of data, spoofed as a html file that Mozilla will
    display within the browser window. Thereby effectively causing a crash on
    systems visiting the website.

    You can choose any file from your harddisk larger than 5MB, rename it as a
    html file, upload it to a remote website, or simply open it directly from
    your local harddrive. The result is the same: Mozilla will stop responding,
    showing a lot of binary garbage (clearly understandable), before the user is
    forced to either end the application or reboot the system.

    In several test scenarios the system force feed all virtual memory causing
    the system to become unstable. However, this all depends on the size of the
    file viewed by the browser. To avoid the user from being suspicious while
    the file loads and garbage is showed in the browser window you can format
    the website in such a way that garbage won't show. This way the browser will
    show a blank page until it crashes and the system becomes unstable. When
    viewed, the browser will load the binary without the users knowledge. The
    fact that this bug can be trigged by sending the same file with 1024 ASCII
    characters pre-pended makes exploitation trivial.

    Impact
    ======
    Low-Medium: This is a remote DoS in Mozilla Firefox. There are several other
    ways to crash the browser.

    This behavior was confirmed with Mozilla/5.0 (Windows; U; Windows NT 5.1;
    rv:1.7.3) Gecko/20040913 Firefox/0.10, but my guess is that all versions of
    Mozilla introduce the problem.

    Solution
    =========
    Awaiting fix

    Affected Products
    ================
    Mozilla/5.0 Gecko/20040913 Firefox/0.10 and prior

    ----
    Med venlig hilsen // Kind regards
    Peter Kruse,
    Security- and virusanalyst,
    CSIS, Combined Services & Integrated Solutions
    http://www.csis.dk
    PGP fingerprint
    79FD 0648 158E 6B9E 236F  CFDA 7C58 64D6 BE83 FA60
    -----BEGIN PGP SIGNATURE-----
    Version: PGP 8.1
    iQA/AwUBQXy8J3xYZNa+g/pgEQLy1gCeIOBSUFvWcMDxRdctMJKZyepxBuUAn0cs
    2AJ7hwekVBENB2m1+t5CoQ26
    =Mi5B
    -----END PGP SIGNATURE-----
    --
    NTBugtraq Editor's Note:
    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
    --
    

  • Next message: Philip Walley: "Getting pop up"

    Relevant Pages