<<< Date Index >>>     <<< Thread Index >>>

Re: Microsoft Windows image rendering DoS vuln



I just tested it out on Windows XP sp2, firefox 1.0.3 and IE6

No crash...

-Randy

On Thu, 21 Apr 2005, patrick wrote:

Ok everyone, someone sent me a copy of the site which was the link that
was originally sent with the vulnerability. Looking closer, it seems
that it may not be that the extremely large height and width properties
of the image in a site is what is causing the crash. However, I have not
had time to test it out, I will in a little bit, I need to finish a few
things.

Here is the full page source (it's in the attachment). This is what I
was talking about though. Notice this in the page source:

<code>
<!--
// Cache-busting LUBID bug.
var ran = Math.round(Math.random() * 899999) + 100000;
var lubid_string = "<img
src=\"http://hb.lycos.com/header?VID=6105&LHIG=1&ord="; + ran + "\"
height=\"1\" width=\"1\">";
document.write(lubid_string);
//-->
</script>
</code>

The site also has this:

<code>

<img src="http://home.comcast.net/~squaresoft0/internet.jpg"; height="9999999" 
width=
"9999999"><br /><img src="http://home.comcast.net/~squaresoft0/internet.jpg"; 
height="
9999999" width="9999999">

</code>

Now, I will try setting up a site with just that code, and then a site
with both, and see what happens.

I only briefly looked at the page source, so there may be more. Tell me
what you guys find.

Jesse Morgan wrote:

Yes, it was SP2. My values were at 50000000 or something similar. I also
created a 50000x50000 gif and tried that, still no luck.
Unfortunately I didn't get my hands on the code.
Also a friend's system rebooted after a bsod (he has an ATI video card
and I have on-board video on a laptop)

patrick wrote:

Hmm, don't think so, though, you said it crashed your computer... was it
XP SP2? It sounds like it later in your email but I'm not sure... it's
quite interesting. Possibly his site had a different code than the one
you and I set up? He didn't go into much detail about the code except
that the "height" and "width" properties should be an enourmous amount.
Did you by any chance get the page source or no?

Jesse Morgan wrote:


His site was up when I got the email and it did crash my computer.
Livejorunal locked his account a few hours later.
I too tried creating the exploit myself a few days later (windows xp
sp2) and it failed to work. Maybe Microsoft somehow got a patch
installed without us knowing?

patrick wrote:


Andrew wrote:


              Alpha-Pi-Omicron Pi-Alpha-Nu-Tau-Omicron-C?
 Kappa-Alpha-Kappa-Omicron-Delta-Alpha-Iota-Mu-Omicron-Nu-Omicron-C?
__    ___  __ _____         _       _
___                       _ _
/ /   /___\/ // _  /   /\  /(_) __ _| |__     / __\___  _   _ _ __
___(_) |
/ /   //  // / \// /   / /_/ / |/ _` | '_ \   / /  / _ \| | | | '_ \ /
__| | |
/ /___/ \_// /___/ //\ / __  /| | (_| | | | | / /__| (_) | |_| | | | |
(__| | |
\____/\___/\____/____/ \/ /_/ |_|\__, |_| |_| \____/\___/ \__,_|_|
|_|\___|_|_|

|___/
Overview

There exists a vulnerabilility in the way Microsoft Windows handles
the rendering
of images. By resizing an image with html properties to an extremely
large size an
attacker may perform a very quick and effective denial of service
attack upon a
victim.


I. Description and PoC

Only clients running Internet Explorer, Firefox, or Avant in Windows
2k or XP have
been confirmed to be vulnerable. Opera does it's own image rendering
and is not
ulnerable to this method of attack. The status of Longhorn is not
known. Other
operating systems, including Mac OS X and Linux are not vulnerable.

You may point your browser to this URL to see a live demonstration of
this attack:

http://www.livejournal.com/users/deeplolz

This may cause an instant reboot or bluescreen detailing a problem
with your video
drivers. Other possibilities include an extended period of poor
performance until
next reboot, a short to medium period of nonfunctionality or a crash
of the
browser.


II. Impact

Because this attack can be performed anywhere an img src is allowed,
there are
many forums including blogs, messageboards, and others which are
vulnerable. It
is hopeful that Microsoft will release a patch for this attack as

soon as

possible.


III. Solution

Until a patch is released you are advised to use the Opera web
browser. It might
also be possible to write a script for the Firefox "GreaseMonkey"
extension which
performs a workaround for this attack. Such as setting height and
width of images
to 5000 pixels if they are currently set to render at over 5000.


Very special shouts: Girlvinyl, Hepkitten, Confkids, and Frienditto
(Come back!!!
We need you badly, FD!)

Shouts:
LJD, LJ-Zeera, Encyclopedia Dramatica, Lulz News Network, Project
Mayhem, Amalea,
Wednesday Night Karate Explosion, The Gundanium Alloys Manufacturers
Association,
Richmond Flash Mob Society, RVA_BS, RVA_FYAD, Brad Fitzpatrick, Mena
Trott, SALJ,
The International Department of Internet Security, #telconinjas,
undernet #drugs,
The Kadaitcha Dancers, psychotic vegans, Warren Ellis, and pro-ana
preteen girls.

Hmm, a few things.

1) That site is down. Has been down ever since I got this email.
2) I created a site with this HTML code:

/././././././././././././

<html>
<body>
<p>If you are using IE, YOU SUCK! Just kidding.<br>
If you're in Window$ though, this should crash your puter<br>
or give you a BSOD. HAVE FUN BUDDY! MUA HA HA!</p>

<img src="http://thepcelement.com/hardware/neowinscreenie.jpg";
height="9999999999999999999999999999999999999999999999999991"
width="999999999999999999999999999999999999999999999999999999999999999991">

</body>
</html>

/./././././././././././

Yet no crash, this was on my Dad's PC running Window$ XP, no SP2,
Firefox and Internet Exploder, the image was all white, no slowdown or
anything.

Can you tell me what I'm doing wrong and give me the source to that
page
you had up as a live demonstration? I'm interested to see more about
this vulnerability.

Thanks for posting, have a nice day,