Sunday, July 29, 2007

DoSing Firefox with Error Consoles

3 days ago, I found out that there was a way of Popping up the Firefox JavaScript Error Console, by doing:

<iframe src="javascript:"></iframe>

I was testing what could I do to exploit it, (like trying to execute some code in the chrome:// context), but I wasn't able..

This was 1 of my failed attacks.. to steal chrome context:

throw new function(){
this.toString=this.valueOf=function(){
alert(location);
return "<script>alert(location);</script>";
}
}


For the ones that doesn't know this, throw will "throw" an error exception.. :P

Any way, then while playing with the multiple consoles I had, I realized that if for example, you click "clear" on one console, all the consoles will clear the error messages.. so maybe, the memory allocated at the time of showing errors, won't be checked as well..

I made a PoC of a memory exhaustion exploit at firefox (It's a DoS exploit, You Have been Warned), which I talked about with Giorgio Maone, and it appears that this was just a Denial of Service attack (that I think depends on the amount of RAM the victim has, for example RSnake just suffered a temporal freezing of the browser, and after closing the error consoles, everything went back to normal), ma1 told me to file it anyway to bugzilla, (thing that I did today), but I don't know for sure if a memory exhaustion bug, will be considered a real bug at Mozilla.. anyway, NoScript users are already invulnerable to this attack (since yesterday, I think).