AOH :: HP Unsorted F :: B1A-1408.HTM

File Download and DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera



File Download and DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera
File Download and DoS vulnerabilities in Firefox, Internet Explorer, Chrome and Opera



Hello Bugtraq!

I want to warn you about File Download and Denial of Service vulnerabilities
in Mozilla Firefox, Internet Explorer, Google Chrome and Opera. Earlier I
already wrote about DoS vulnerabilities in different browsers via different
protocol handlers. And now I'll tell about research concerned with attacks
via protocols http and ftp which I made already in 2008 and published at
30.06.2010.

-----------------------------
Advisory: File Download and DoS vulnerabilities in Firefox, Internet
Explorer, Chrome and Opera
-----------------------------
URL: http://websecurity.com.ua/4334/ 
-----------------------------
Affected products: Mozilla Firefox, Internet Explorer 6, Google Chrome,
Opera. Other browsers can be vulnerable as well.
-----------------------------
Details:

On 18th of September 2008 I found File Download and Denial of Service
vulnerabilities in Firefox, Internet Explorer, Chrome and Opera. This
research I begun after I found in September multiple Automatic File
Download vulnerabilities in Google Chrome, which I wrote in details in the
article Automatic File Download vulnerabilities in browsers
(http://websecurity.com.ua/2438/). 

Goal of this research was to create a method of conducting File Download
attacks in different browsers (and DoS attacks via SaveAs functionality).
Which I called SaveAs attack.

And even this attack (file saving) is not going automatically (as it took
place in first versions of Chrome - in more new versions of its browser
Google fixed this vulnerability, after my warnings, and browser asks before
downloading files), but due to persistent showing of the window for file
saving, the user can accidentally press at "Save" and save file. Unlike
Automatic File Download in Chrome, this attack is working in different
browsers (including in new versions of Chrome).

So this method can be used for forced file saving at users' computer. And
also this method can be used for conducting of DoS attacks (via creating of
multiple windows for saving of files). File Download attack can lead to Code
Execution, if user will later open file (malicious), which was saved by him.

These File Download and DoS attacks are conducted via protocols http and
ftp. I set in exploits the files at servers of Google (for http) and
Microsoft (for ftp) - these companies have more server capacities for this
task.

Denial of Service vulnerabilities belong to type
(http://websecurity.com.ua/2550/) blocking DoS and resources consumption 
DoS. These two attacks can be conducted as with using JS, as without it (via
creating of a page with large quantity of iframes and in Chrome it's also
possible to use frames).

File Download and DoS:

http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit6.html 
(http protocol)

http://websecurity.com.ua/uploads/2010/Firefox,%20IE,%20Chrome%20&%20Opera%20DoS%20Exploit7.html 
(ftp protocol)

Both exploits work in Mozilla Firefox 3.0.19 (and besides previous versions,
it must work in 3.5.x and 3.6.x), Internet Explorer 6 (6.0.2900.2180),
Google Chrome 1.0.154.48 and Opera 9.52.

In browsers Firefox, IE6 and Opera occur blocking and overloading of the
system (and Firefox 3.0.1 was crashing). In Chrome occurs
blocking of the browser. But both exploits don't work in IE8.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua 



The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.