Closed
Bug 1464623
Opened 6 years ago
Closed 6 years ago
Plaintext based DoS via Khmer characters
Categories
(Core :: Graphics: Text, defect, P3)
Core
Graphics: Text
Tracking
()
RESOLVED
INVALID
People
(Reporter: masatokinugawa, Unassigned)
References
(Blocks 1 open bug)
Details
(Keywords: csectype-dos, hang, testcase, Whiteboard: [sg:dos][gfx-noted])
Attachments
(1 file, 1 obsolete file)
(deleted),
text/html
|
Details |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0
Build ID: 20180526100113
Steps to reproduce:
1. Navigate to https://l0.cm/chromefx_khmer_dos.html or open the attached .html file
This page writes 256 U+17B7's from the following code:
<script>document.write("\u17B7".repeat(256))</script>
2. The page will freeze.
This bug affects all applications which treat user-generated text (e.g. chat application, email application etc.). An attacker can disable victim's application permanently just by sending crafted Khmer characters. I think that such a plaintext based DoS is more worse than normal DoS. Thus, I reported it as a security bug.
Apparently Chrome has the same issue. I reported here: https://bugs.chromium.org/p/chromium/issues/detail?id=847034
I confirmed the following characters also cause DoS:
U+17B7 - U+17C5
U+17C8
U+17CB
U+17CD - U+17D1
U+17D3
U+17DD
Actual results:
The page is not rendered properly.
Expected results:
The page should be rendered properly.
Updated•6 years ago
|
Group: firefox-core-security → gfx-core-security
Component: Untriaged → Graphics: Text
Product: Firefox → Core
Reporter | ||
Comment 1•6 years ago
|
||
The attached .html file was wrong. I uploaded correct file.
Attachment #8980919 -
Attachment is obsolete: true
Comment 2•6 years ago
|
||
On what OS/Version? Your user agent says Win10 and I couldn't really reproduce, at least not "worse than normal DOS". The page hangs, but the UI stays responsive and the CPU usage was minimal (with e10s of course). Maybe depends on the Windows locale, or installed fonts?
On Mac there was no problem at all: string rendered fine.
Flags: needinfo?(masatokinugawa)
Reporter | ||
Comment 3•6 years ago
|
||
>On what OS/Version?
I forgot to write this. I tested on:
fully patched Win10
Android 8.1.0
I also couldn't reproduce it on Mac.
>The page hangs, but the UI stays responsive and the CPU usage was minimal
You've already reproduced the problem. In this DoS, Firefox does not crash. It's hang only.
>at least not "worse than normal DOS"
The point is that this bug can be abused by using only "text". JS/HTML/CSS is not needed.
We can abuse this bug just by putting the text here(Bugzilla), like this:
[U+17B7][U+17B7]...(256 times)
If someone does so, you can no longer open this page with Firefox on Windows/Android.
Flags: needinfo?(masatokinugawa)
Updated•6 years ago
|
Comment 4•6 years ago
|
||
Jonathan,
This is happening because in Khmer shaper we enabled unlimited matras in the grammar... I'm investigating.
Comment 5•6 years ago
|
||
Actually, the safe-guard was already in the Indic shaper. We inadverently removed it when forked Khmer shaper.
Comment 6•6 years ago
|
||
Fixed:
https://github.com/harfbuzz/harfbuzz/commit/7b8dfac560abe89d48cfc2f6efb4a61820bd28bf
I'm currently in Iran. Will make release next week.
Comment 7•6 years ago
|
||
The fix would have been pulled in by one of the recent harfbuzz updates we landed.
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Priority: -- → P3
Resolution: --- → INVALID
Whiteboard: [sg:dos] → [sg:dos][gfx-noted]
You need to log in
before you can comment on or make changes to this bug.
Description
•