<<< Date Index >>>     <<< Thread Index >>>

Web browsers - a mini-farce



Good morning,

I wanted to file a vague report a couple of potentially exploitable
vulnerabilities and DoS conditions in popular browsers, announce a useful
web browser testing tool, and stir some controversy - all in one short
post. Let me know how I doing.

1) Background - the tool

  In my spare time, I put up a trivial program to generate tiny, razor-sharp
  shards of malformed HTML. The program uses a refresh tag to repeatedly
  feed new data to the client, so testing can be pretty much unattended,
  except for the moments the browser crashes or stalls.

  The tool generates only basic HTML - no stylesheets, no scripts, mostly
  no browser-specific features - and is, by all accounts, rather dumb.
  Should you want to use it rather than spending 5 minutes to develop
  your own, much better alternative, the source for the program is
  available at:

    http://lcamtuf.coredump.cx/soft/mangleme.tgz

  A "lite" live demo (ohne refresh, and with more fascist limits) is also
  available here:

    http://lcamtuf.coredump.cx/mangleme/mangle.cgi

  The program functions as a CGI script, and is best installed on
  LAN or local box.

2) Methodology and targets

  I ran the program against recent versions of several popular browsers,
  that is Microsoft Internet Explorer, Mozilla / Netscape / Firefox,
  Opera, Lynx, Links (the last two are included primarily because they're
  often deployed in non-interactive mode to render plain text views of
  HTML e-mail messages).

3) Results summary

  All browsers but Microsoft Internet Explorer kept crashing on a regular
  basis due to NULL pointer references, memory corruption, buffer
  overflows, sometimes memory exhaustion; taking several minutes on
  average to encounter a tag they couldn't parse.

4) Sample flaws

  A gallery of quick examples I examined to locate the offending tag
  (total time to find and extract them - circa 1 hour):

  http://lcamtuf.coredump.cx/mangleme/gallery/

  * mozilla_die1.html

    Appears to be a memory corruption / overflow problem; TEXTAREA,
    INPUT, FRAMESET and IMG tags followed by NUL, then a number of
    extra characters, cause the browser to die while accessing
    NULL pointer, loop forever, or die while accessing invalid
    pointer. My guess would be that they calculate tag length using
    strlen-alike function, but then copy till separator or > - but
    this is just a guess.

    The behavior is tag and OS-specific, and is likely exploitable with
    some luck in those of the cases that do not lead to NULL ptr. I didn't
    investigate - Mozilla sources are 220 MB, mostly C++, takes forever to
    compile.

  * mozilla_die2.html

    Bogus pointer access triggered by a unusual combination of visual
    elements.

  * opera_die1.html

    Excessive COL SPAN in TBODY causes Opera to go down in flames,
    attempting to make a reference to uninitialized memory. Probably
    can be exploited in right conditions.

  * links_die1.html

    Table of an excessive size causes links to DoS the machine
    by consuming all memory until calloc fails, then write over what
    it managed to allocate.

  * lynx_die1.html

    Lynx loops forever trying to render broken HTML.

  Rest assured, this is merely a top of an iceberg; there are more
  crashes and other problems than one can asses and evaluate while
  retaining sanity.

5) Vendor notification, exposure, etc.

  I gave some vendors a brief advance notice on some of the first issues
  discovered. I cannot, at this time, provide a full list of individual
  flaws and their ultimate impact. The above set of examples is most
  certainly incomplete.

  Consider this post a notice of a problem, and an invitation to identify
  specific issues; it is by no means comprehensive or definite. Feel
  free to check browsers - Safari comes to mind.

6) Pointless rants

  It appears that the overall quality of code, and more importantly, the
  amount of QA, on various browsers touted as "secure", is not up to par
  with MSIE; the type of a test I performed requires no human interaction
  and involves nearly no effort. Only MSIE appears to be able to
  consistently handle [*] malformed input well, suggesting this is the
  only program that underwent rudimentary security QA testing with a
  similar fuzz utility.

  This is of course not to say MSIE is more secure; it does have a number
  of problems, mostly related to its security architecture and various
  features absent in other browsers. But the quality of core code appears
  to be far better than of its "secure" competitors.

  [*] Over the course of about 2 hours; I cannot rule out it would
  exhibit problems in a longer run.

On a side note: as one could expect, feeding an URL to the aforementioned
CGI script to most online HTML validators, converters, translators and
other tools of this nature results in various amusing if spectacular
problems and crashes.

Side note #2: if your computer finds a problem using this tool and you
sell the finding to iDefense... well, that's cheating ;)

Thanks,
-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2004-10-18 12:35 --

   http://lcamtuf.coredump.cx/photo/current/