BugTraq
[Suspected Spam]File Download and DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera Jul 03 2010 08:18PM
MustLive (mustlive websecurity com ua)
Hello Bugtraq!

I want to warn you about File Download and Denial of Service vulnerabilities
in Mozilla Firefox, Internet Explorer, Google Chrome and Opera. Earlier I
already wrote about DoS vulnerabilities in different browsers via different
protocol handlers. And now I'll tell about research concerned with attacks
via protocols http and ftp which I made already in 2008 and published at
30.06.2010.

-----------------------------
Advisory: File Download and DoS vulnerabilities in Firefox, Internet
Explorer, Chrome and Opera
-----------------------------
URL: http://websecurity.com.ua/4334/
-----------------------------
Affected products: Mozilla Firefox, Internet Explorer 6, Google Chrome,
Opera. Other browsers can be vulnerable as well.
-----------------------------
Details:

On 18th of September 2008 I found File Download and Denial of Service
vulnerabilities in Firefox, Internet Explorer, Chrome and Opera. This
research I begun after I found in September multiple Automatic File
Download vulnerabilities in Google Chrome, which I wrote in details in the
article Automatic File Download vulnerabilities in browsers
(http://websecurity.com.ua/2438/).

Goal of this research was to create a method of conducting File Download
attacks in different browsers (and DoS attacks via SaveAs functionality).
Which I called SaveAs attack.

And even this attack (file saving) is not going automatically (as it took
place in first versions of Chrome - in more new versions of its browser
Google fixed this vulnerability, after my warnings, and browser asks before
downloading files), but due to persistent showing of the window for file
saving, the user can accidentally press at "Save" and save file. Unlike
Automatic File Download in Chrome, this attack is working in different
browsers (including in new versions of Chrome).

So this method can be used for forced file saving at users' computer. And
also this method can be used for conducting of DoS attacks (via creating of
multiple windows for saving of files). File Download attack can lead to Code
Execution, if user will later open file (malicious), which was saved by him.

These File Download and DoS attacks are conducted via protocols http and
ftp. I set in exploits the files at servers of Google (for http) and
Microsoft (for ftp) - these companies have more server capacities for this
task.

Denial of Service vulnerabilities belong to type
(http://websecurity.com.ua/2550/) blocking DoS and resources consumption
DoS. These two attacks can be conducted as with using JS, as without it (via
creating of a page with large quantity of iframes and in Chrome it's also
possible to use frames).

File Download and DoS:

http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Ope
ra%20DoS%20Exploit6.html
(http protocol)

http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Ope
ra%20DoS%20Exploit7.html
(ftp protocol)

Both exploits work in Mozilla Firefox 3.0.19 (and besides previous versions,
it must work in 3.5.x and 3.6.x), Internet Explorer 6 (6.0.2900.2180),
Google Chrome 1.0.154.48 and Opera 9.52.

In browsers Firefox, IE6 and Opera occur blocking and overloading of the
system (and Firefox 3.0.1 was crashing). In Chrome occurs
blocking of the browser. But both exploits don't work in IE8.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus