digg

Facebook Connect Join Digg About

Kill Firefox 1.5 with remote exploit

packetstormsecurity.org A simple DoS exploit for Firefox 1.5 was released today.. All you have to do is create a simple webpage with the following code.. Simply evil.

Who dugg this? Made popular Dec 7, 2005

Digg DudeWhat is Digg?

Digg is a place for people to discover and share content from anywhere on the web. Digg surfaces the best stuff as submitted and voted on by the community. Take the Tour to learn more.

103 Comments

show profanity settings
expand all
  • DickBreath, on 10/12/2007, -0/+9This is why I like FireFox's NoScript extension.

    It basically whitelists sites that are allowed to run any JavaScript. I don't mind if, say, Google runs JavaScript. But I don't want every random site being able to do so unless I approve. With NoScript it is easy to approve. The NoScript icon (with a popup menu) appears in the status bar at the bottom.
  • carguy84, on 10/12/2007, -0/+3keng, a DoS is "an incident in which a user or organization is deprived of the services of a resource they would normally expect to have."

    You're thinking of DDoS, which is a distributed version of DoS, where many nodes attack a common node.
  • leprasmurf, on 10/12/2007, -0/+3"Heck, if Internet Explorer 7 came out and a few weeks later a bug like this... Microsoft would be killed."

    There are some key differences between Microsoft and Open Source Software, differences that are hard to find out of all the flame wars and fan boys. There are going to be mistakes in all software, no matter who makes it. However, you now have hundreds or thousands of people around the world working on this problem coming up with solutions and working on a patch. Microsoft would rely on close sources and trusted workers to work on the solution/patch and would release it at their leisure. Also, as mentioned a couple times previously, IE has quite a few vulnerabilities because they have not kept security (until recently it seems) a priority. Where as Firefox has prided itself on its security focus. There are plenty of differences, and I don't want to go into them all and possibly have any misinformation, but there are always differences to be seen.
  • caldaean, on 10/12/2007, -0/+2Jeez. I don't wont to fuel the flame war up even more, but 2 comments here were simply so full of ignorance and unawareness that I couldn't help it. It's one thing to not like the other side (in this case), but to simply be so wrong?

    Instead of linking to a private blog with suspicious numbers which sources cannot be verified, instead look at the security companies and compare the statements made in these comments:

    Comment:
    "Firefox not only has more vulnerabilities per month than Internet Explorer, but it is now surpassing Internet Explorer for the number of exploits available for public download in recent months."
    http://blogs.zdnet.com/Ou/index.php?p=103

    And people still continue to use Firefox. Why?

    posted by wackyt (17) at 10:51 AM 12/07/05

    Comment:
    People continue to use IE because MS does release patches whenever exploits come out. And btw, if one has any sense of technology, IE is no less secure than any other browser. It's just that there are a whole lot of idiots out there. But, ironically, thanks to those same people, IE will always be the top browser.

    posted by h2d2 (0) at 10:32 AM 12/07/05


    Response:
    http://www.eeye.com/html/research/upcoming/index.html
    http://www.computerterrorism.com/research/ie/ct21-11-2005
    http://secunia.com/product/11/

    I specially recommend looking at the computerterrorism link, which points to a flaw discovered and ignored in may this year. Still unpatched. When not being a potential remote code execution risk, it does crash IE. So to correct some wrongs: MS does not fix bugs when they are notified, they fix them (most of the time) at a much later stage. Even though more flaws are found in Firefox at this time, they are

    1. Not as severe, since the browser isn't embedded in the system.
    2. Fixed fairly quick, because of the number of people working on it
    3. Not hidden and forgotten until somebody actually takes advantage of the exploit.

    To sum it up:

    "Firefox not only has more vulnerabilities per month than Internet Explorer"
    To me, this doesn't mean anything, considering that IE is 5 years older and STILL has a bunch of Remote code execution flaws.

    "And btw, if one has any sense of technology, IE is no less secure than any other browser."
    Think what you like, but I rather have car with a seperate engine, than one that runs it's fuel lines through the seat i'm sitting on. To me, IE will always be a bigger threat because of the fact that it is embedded deeply into the system. That's almost as stupid as recognizing executable binaries on their file extension.

    "MS does release patches whenever exploits come out"
    Wrong.
  • lnxaddct, on 10/12/2007, -0/+2This script isn't a buffer overflow, it just causes firefox to load a huge title. It might slow down your machine if its specs are lower or if you're already using up all of your computer's resources, but other then that its not a big deal. Easy fix too, just limit the titles to 1000 chars, although I'd prefer 256. Sure this should be fixed, but has nothing to do with security. People who are defending IE need to recheck their information, you're only showing your ignorance.
  • zizzybaloobah, on 10/12/2007, -0/+2@WackyT (and anybody else that's thinks # of vulnerabilities is competent measure of security): Comparing # of vulernabilities is great for headlines, but terrible for measuring just about anything else. Among other things, Firefox is only a year old -- how ancient is IE? Shouldn't all of IE's problems be ironed out by now? Nevertheless, check out Secunia's website and compare how critical each browser's vulnerabilities were, as well as how many are still unpatched. The question easily changes from 'Why are people still using Firefox' to 'Who in their right mind would continue using IE?'
  • spectre_25gt, on 10/12/2007, -0/+2You guys that said it didn't crash, did you try reloading your browser? If you read the article, it doesn't crash your browser on execution, it crashes it on the next load.
  • fluffyturtle, on 10/12/2007, -0/+2Everyone acts like children when a exploit is found. Arguments about which browser is more secure can be counted on as much as the sun rising every morning.

    GET OVER IT.

    At any rate this doesn’t even make firefox crash for me.
  • Sniper, on 10/12/2007, -0/+2You can just set Firefox to clear the history when you close Firefox ;)
  • mesostinky, on 10/12/2007, -0/+2"It funny how even the open source community has big bugs in major releases. Firefox 1.5 got released just recently and this bugs creeps up. Heck, if Internet Explorer 7 came out and a few weeks later a bug like this... Microsoft would be killed."

    How is it funny? Since when did ANY project maintainer for ANY OSS project ever claim by making something OSS it magically becomes bug free and never has security issues?

    Any coder or person with a clue will tell you that that security is a process and that both closed and open source applications will continue to have bugs and security problems for eons to come.

    If IE 7 came out with this bug it wouldn't be a problem. What people would rightly nail MS to wall for is NOT fixing the bug after months and month.

    A fix for this bug if indeed it is a bug will be out almost immediately. Best case with MS is waiting a month or two. The only time they break their lame policy is if enough bad press comes out forcing them to act.

  • caldaean, on 10/12/2007, -0/+2@jasqwerty:
    Yup, checked them every now and then.

    1. Never actully had the impression that FF had the rights or possibilty to do as much system damage as IE. My opinion still stands. You could tweak FF so it didn't have access to the Filesystem at all (theoreticly), something that can't be done to IE. But maybe that is more of a severe problem to the entire way of constructing the filesystem, not as much as the browser. Then again, I'm not running IE, or windows for that matter.

    2. Then again, I would say that depends on the type of fix needed. There are, and always will be bugs, fixes etc for a program. To me the difference is in the kind of fixes needed and how quickly they are taken care of.

    3. My explanation? Is it hidden? If not, please do read my post again before arguing. My comment was due to the fact that MS was notified over 6 months ago about the window() flaw, but downgraded it and ignored it. Yes, that can happen to FF to, but there is a hell of a lot bigger chance for someone to actually fix it, cause it will be out in the open.
  • Iriel, on 10/12/2007, -0/+2Well of course software will have bugs in it. Nothing is foolproof, but that's the advantage of open source. Even if Mozilla didn't know about this at the time of posting, I'm sure an advocate has alerted them by now. For those of us that haven't crashed, 1.5 will probably update automatically once they fix it with a reset on the .dat file to clear out the garbage.

    Meanwhile MS waits until the 29th of the month to start working on it ;)
  • Shen, on 10/12/2007, -0/+2Yes, but it'll be fixed in a few weeks, unlike many IE bugs.
  • alex007, on 10/12/2007, -2/+3It funny how even the open source community has big bugs in major releases. Firefox 1.5 got released just recently and this bugs creeps up. Heck, if Internet Explorer 7 came out and a few weeks later a bug like this... Microsoft would be killed.
  • Cerberus047, on 10/12/2007, -0/+1sigh great job posting this story now we have to sit through all the omg ie is soo great pussies
  • jasqwerty, on 10/12/2007, -0/+1@nothingx

    Come on dude, you seem like you know what a stack is, and you're complaining he didn't release code that actually ***** over someone badly with minor modification?

    And I can't believe you didn't see where the stack is involved. The size of whatever FF is reading is obviously BIGGER than whatever BUFFER is being used to store it, thus causing an OVERFLOW of that BUFFER. I don't feel like firing up SoftIce and tracing exactly where the code breaks, and seeing if you can do any creative NOP slides, but I'm sure someone will soon enough.
  • Smokezz, on 10/12/2007, -0/+1The difference is, Firefox exploits get fixed in a timely manner, IE ones do not. How long did it take (if its even fixed yet, I haven't checked lately) for that "Extremely critical - Out in the wild" exploit for IE to get fixed? It was at almost 3 weeks out in the wild last time I saw... thats pathetic.
  • rspeed, on 10/12/2007, -0/+1"It funny how even the open source community has big bugs in major releases. Firefox 1.5 got released just recently and this bugs creeps up. Heck, if Internet Explorer 7 came out and a few weeks later a bug like this... Microsoft would be killed."

    What are you, joking? IE has had dozens of bugs like this! All browsers do. It comes with the territory.
  • Dennis, on 10/12/2007, -0/+1Didn't hurt me. Put a bunch of AAAAAAAAAAAAAAAAAAAAAA in my tab.
  • danielcole, on 10/12/2007, -0/+1I saved the html in the link to a local file and ran it. My history.dat file went from 211k to 10,358k instantly. However, the exploit did not completely crash Firefox 1.5 as stated (at least for me). Firefox1.5 worked fine after clicking on the bad code, then I closed it, and when trying to reopen Firefox it *did* come back up, but was much much slower than normal to load the GUI - about 2-3 minutes.
  • rnelsonee, on 10/12/2007, -0/+1Doesn't crash Firefox, but does make it hard to open next time. For those trying it out, just delete history.dat.

    Should be an easy fix for the FF team. Just limit page titles to 1000 chars or so.
  • dkordik, on 10/12/2007, -0/+1keng- denial of service terminology can refer to local applications as well.
  • jasqwerty, on 10/12/2007, -0/+1FireFox did crash for me, which implies some buffer got overwritten. And I don't mean it was just stuck at 100% CPU usage, but crashed.

    If it doens't for you, punch up the numbers in the script a bit. I first get a freeze then after a while get an error & crash. I've tested it a few times, and it's hit & miss. Apparently whatever coding they use to store the string isn't extending correctly all the time.
  • astrosmash, on 10/12/2007, -0/+1@jasqwerty

    "And I can't believe you didn't see where the stack is involved. The size of whatever FF is reading is obviously BIGGER than whatever BUFFER is being used to store it, thus causing an OVERFLOW of that BUFFER."

    How do YOU see where the stack is involved?

    There is no buffer overflow and no threat of arbitrary code execution; Firefox does not crash when the script is executed, nor at startup when it reads history.dat.

    The script causes a very large (~10MB) string to be written to history.dat (That's just a text file, you can open it in Notepad and take a look). The algorithm Firefox uses to parse this file was presumably not intended to handle such large strings and therefore takes a long time to load the file (1 to 2 mins).

    It allocates a buffer on the heap of arbitrary size and begins reading the string. When it determines that the buffer is not big enough to hold the entire string it allocates a new, larger buffer, copies the old data to the new buffer, and continues reading. Repeat until you've allocated a buffer large enough to hold the entire 10MB string. Inefficient? Yes. Buffer overflow exploit? No.


  • gbm85, on 10/12/2007, -0/+1"if Internet Explorer 7 came out and a few weeks later a bug like this... Microsoft would be killed."

    Except for the fact that serious exploits appear several times yearly for IE, and people still continue to use it...
  • mediaburn, on 10/12/2007, -0/+1I love the people that make sure everyone, but the people that can fix this, know about it.
  • t3hs3x, on 10/12/2007, -0/+1Yes, NoScript is the *****.
  • GamingFox, on 10/12/2007, -0/+0It didn't crash my Firefox 1.5. It didn't even slow down the startup time for Firefox either. Of course, I already set privacy to auto-remove my history everytime it shut down.

    The whole point is the results VARY depend on hardwares, OS, and what configs your FF is set on.
  • token, on 10/12/2007, -0/+0hevnsnt Just a few things and for everyone else worried about this.

    1. java script has NOTHING to do with this "vulnerability" and yes I use that term loosely, if it was possible to execute arbitrary code via this method it could be done in a plain HTML file without any scripting just by building a payload and pasting it into the HTML with the title tags wrapped around it.

    2. There is NO buffer overflow, nothing on the stack gets overwritten when visiting the site with large amounts of data in the title nor does the stack of the firefox instance get overwritten when you close and open the browser again this is FALSE hevnsnt you should've never posted this without being sure I am also sad to see it already made it to packetstormsecurity which just shows how desperate people are to find new flaws.

    When I first read this article I went to firefox site and checked to see if the vulnerability was on their site yet, but it wasn't which kind of made me wonder if it wasn't some kind of hoax, then it tested the vulnerability myself using two sets of code one a normal HTML file i called firefux.html and a perl cgi i called firefux.cgi I uploaded these files to a co-located machine I have and I hit them both from Firefox 1.5 (Windows XP SP1) and from Firefox 1.5 (Gentoo 2005.1) Okay and guess what the results were....

    Well in Windows I was surprised that even when hitting my code the browser rarely even lagged CPU wasn't consumed all that much and it did not crash or freeze up at all!!! even when i restarted the browser..windows actually took it like a champ :-/

    now when i hit the same code on my laptop running gentoo(linux for you nubs) firefox lagged badly and even froze when i enlarged my buffers to around 1000000 bytes, the firefox process actually became a zombie :-/ so my linux box didnt take it all that well, BUT!!! there was no OVERFLOW on the stack!!! this is a false there is no way to gain escalated privileges through this method on a remote machine IT IS NOT POSSIBLE!!!!!! It isn't even a very good DoS it's really sad and not even worth mention but it was so now it comes to this :-) I think it should be taken off of packetstormsecurity and other places, hevnsnt you should also apologize to all the users of diggs, firefox developers, and the entire IT security community for being so silly!!

    Just one more time for you folks:

    THIS IS FALSE INFORMATION POSTED BY hevnsnt!
    FIREFOX IS NOT VULNERABLE USING THE METHOD PROVIDED BY HIM!!!!

  • Cubsman44, on 10/12/2007, -0/+0Dosent work and why would you want to crash firefox
  • UnderLoK, on 10/12/2007, -0/+0The results do not vary. It is a bug, period.
  • McoreD, on 10/12/2007, -0/+0Does this crash Internet Explorer too?
  • dolphumous, on 10/12/2007, -0/+0Didn't crash. Got a lot of AAAA's as the title. No CPU spike and I flipped back through my tabs before I closed the AAAA one...
  • wingo, on 10/12/2007, -0/+0re: h2d2 comment.

    yeah right ie and microsoft release patches every now and then. nope, they wait weeks even if the public knows.

    where is xp sp3 by the way? there is ppl around that makes better patches for windows than microcrap, i.e. autopatcher, ryanvm and nliteos.
  • Miniman, on 10/12/2007, -0/+0And how would someone go about fixing this?
  • Zlatty, on 10/12/2007, -0/+0thank jebus for no srcript extension
    its the next best thing to adblock
  • barbobot, on 10/12/2007, -0/+0input type crash

    buh bye explorer.
  • token, on 10/12/2007, -0/+0UnderLoK, you're very WRONG. The results DO vary as with any DoS, bug, or vulnerability results will vary on different systems do to different hardware and software. It will always VARY because not every environment is EXACTLY the same.... and if this is a bug then every browser has this bug you can send large amounts of data to any web browser and it will act in the same manner.

    So call it a bug, call it a DoSing method just don't call it a vulnerability, especially a vulnerability that could be exploited to gain remote access to another user's computer cause that is just a joke..

    Here is an idea before you post comments on issues like this please know what you're talking about, the poster of this article seems to have NO experience in IT security and no idea what executing arbitrary on a remote machine means, maybe he thinks because his firefox crashed that it means data on the stack was overwritten he might also think it will have the same affect on ALL firefox users which is WRONG

  • shroom, on 10/12/2007, -0/+0Didn't work at all for me.

    Clicked the link in the exploit, pressed the back button, all is well.
  • keng, on 10/12/2007, -0/+0Wait. A DoS attack is a "denial of service" attack. A DDoS is a distributed "denial of service" using more than one computer to do the attacking. They only differ in the number of machines used. And I can't find anything that is takling about doing a DoS on an application. To do this you're affecting the machine which may or may not affect a specific app. I don't thingk it's possible to DoS FF while leaving the machine in perfect working order. This hack is just trying to force the app to open up a file it can't understand or understand very quickly as some are pointing out.
  • xamox, on 10/12/2007, -0/+0This isn't an exploit. In no way does this grant access to your system. This is just ***** scripting crap. I'm guessing the poster hasn't been around the net for a while, this is very similiar to Javascript window bombs, etc.
  • elfguy, on 10/12/2007, -0/+0set the options to 'clear history on exit' and voila.
  • flea2k, on 10/12/2007, -0/+0This caused one computer to really have some problems opening firefox when it was done. After using filemon I could see it was hanging on history.dat. I renamed history.dat and everything is fine now.
  • indiefan, on 10/12/2007, -0/+0i'm calling ***** on the arbitrary code claim. All this does is make firefox load times get out of control. Where is the buffer OVERFLOW?
  • petknep, on 10/12/2007, -0/+0"I ran this script and now my Firefox freezes at startup. I've tried Safe Mode too, but same results. I'm using IE for now..."

    Manually delete history.dat and that will fix it up

    /dev on "another browser" :)
  • Sh|fty, on 10/12/2007, -0/+0This is just foolish,

    Why would someone put this on there site ?, if your going to visit there site you want good content. They crash your firefox you never go back, guess who loses ;)
  • odysseus, on 10/12/2007, -0/+0Used noscript a while back and it crashed the browser every few hours. Has it gotten any better?
  • TomB, on 10/12/2007, -0/+0nothing here too
    Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8) Gecko/20051111 Firefox/1.5
  • revoked, on 10/12/2007, -0/+0This SORT of works.

    When I closed browsers after being "exploited" AND THEN opened ffox again it took a good 4 minutes for ffox to be responsive.

    HOWEVER if this can be used to inject code in the original DOS it could be big, but I don't see it sticking around for a long time.
  • keng, on 10/12/2007, -0/+0To Sh|fty:

    Well, there are a lot of mean people out there just out to cause problems; that's why they put it on their site. And the people who come won't know it was their site anyway. This only shows up when you try to restart FF.
  • Fetching more discussions...
    Show 51 - 100 of 101 discussions

  • Add a Comment

    Login or register to comment!
    Or, sign-in super fast with your Facebook account ...

© Digg Inc. 2009 — Content created and posted by Digg users is dedicated to the public domain | Terms of Use Updated | Privacy Policy
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.