Denial of Service using Partial GET Request in Mozilla Firefox 3.06

2009.02.13
Credit: Xia Shing Zee
Risk: Medium
Local: Yes
Remote: No
CVE: N/A
CWE: N/A

============================================================ !vuln Mozilla Firefox 3.06 Previous versions may also be affected. ============================================================ ============================================================ !risk Medium There are currently many users using Mozilla Firefox. However, there has been no confirmation of remote execution of arbitrary code yet. ============================================================ ============================================================ !info Tested on: Windows Vista Version Service Pack 1 Build 6001 Processor Intel(R) Core(TM)2 Duo CPU T8300 @ 2.40GHz, 2401 Mhz, 2 Core(s), 2 Logical Processor(s) User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.6) Gecko/2009011913 Firefox/3.0.6 (.NET CLR 3.5.30729) ============================================================ ============================================================ !discussion The Partial GET Request (HTTP 206 Status Code) of a WAV file results in a Denial of Service of the application. Last HTTP packet from Firefox before the DoS is listed below in RAW format: GET /fpaudio/footprints_waves.wav HTTP/1.1 Accept: */* User-Agent: NSPlayer/11.0.6001.7001 WMFSDK/11.0 UA-CPU: x86 Accept-Encoding: gzip, deflate Range: bytes=34848- Unless-Modified-Since: Mon, 09 Jul 2007 12:44:57 GMT If-Range: "4f0018-440f2-434d403204440" Host: www.footprints-inthe-sand.com Connection: Keep-Alive The OK GET Request (HTTP 200 Status Code) of the WAV file is listed below in RAW format: GET /fpaudio/footprints_waves.wav HTTP/1.1 Accept: */* User-Agent: Windows-Media-Player/10.00.00.3802 UA-CPU: x86 Accept-Encoding: gzip, deflate Connection: Keep-Alive Host: www.footprints-inthe-sand.com ============================================================ ============================================================ !Proof of Concept http://www.footprints-inthe-sand.com/index.php?page= Poem/Poem.php ============================================================ ============================================================ !solution There is currently no solution. The vendor has not yet been notified. ============================================================ ============================================================ !greetz Greetz go out to the people who know me. ============================================================ ============================================================ !author Xia Shing Zee ============================================================

References:

http://seclists.org/bugtraq/2009/Feb/0108.html


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top