Results 1 to 2 of 2

Thread: Web Browser Code Flaws, (Interesting read)

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002

    Web Browser Code Flaws, (Interesting read)

    From BugTraq this morning:-

    Good morning,

    I wanted to file a vague report a couple of potentially exploitable vulnerabilities and DoS conditions in popular browsers, announce a useful web browser testing tool, and stir some controversy - all in one short post. Let me know how I doing.

    1) Background - the tool

    In my spare time, I put up a trivial program to generate tiny, razor-sharp
    shards of malformed HTML. The program uses a refresh tag to repeatedly
    feed new data to the client, so testing can be pretty much unattended,
    except for the moments the browser crashes or stalls.

    The tool generates only basic HTML - no stylesheets, no scripts, mostly
    no browser-specific features - and is, by all accounts, rather dumb.
    Should you want to use it rather than spending 5 minutes to develop
    your own, much better alternative, the source for the program is
    available at:


    A "lite" live demo (ohne refresh, and with more fascist limits) is also
    available here:


    The program functions as a CGI script, and is best installed on
    LAN or local box.

    2) Methodology and targets

    I ran the program against recent versions of several popular browsers,
    that is Microsoft Internet Explorer, Mozilla / Netscape / Firefox,
    Opera, Lynx, Links (the last two are included primarily because they're
    often deployed in non-interactive mode to render plain text views of
    HTML e-mail messages).

    3) Results summary

    All browsers but Microsoft Internet Explorer kept crashing on a regular
    basis due to NULL pointer references, memory corruption, buffer
    overflows, sometimes memory exhaustion; taking several minutes on
    average to encounter a tag they couldn't parse.

    4) Sample flaws

    A gallery of quick examples I examined to locate the offending tag
    (total time to find and extract them - circa 1 hour):


    * mozilla_die1.html

    Appears to be a memory corruption / overflow problem; TEXTAREA,
    INPUT, FRAMESET and IMG tags followed by NUL, then a number of
    extra characters, cause the browser to die while accessing
    NULL pointer, loop forever, or die while accessing invalid
    pointer. My guess would be that they calculate tag length using
    strlen-alike function, but then copy till separator or > - but
    this is just a guess.

    The behavior is tag and OS-specific, and is likely exploitable with
    some luck in those of the cases that do not lead to NULL ptr. I didn't
    investigate - Mozilla sources are 220 MB, mostly C++, takes forever to

    * mozilla_die2.html

    Bogus pointer access triggered by a unusual combination of visual

    * opera_die1.html

    Excessive COL SPAN in TBODY causes Opera to go down in flames,
    attempting to make a reference to uninitialized memory. Probably
    can be exploited in right conditions.

    * links_die1.html

    Table of an excessive size causes links to DoS the machine
    by consuming all memory until calloc fails, then write over what
    it managed to allocate.

    * lynx_die1.html

    Lynx loops forever trying to render broken HTML.

    Rest assured, this is merely a top of an iceberg; there are more
    crashes and other problems than one can asses and evaluate while
    retaining sanity.

    5) Vendor notification, exposure, etc.

    I gave some vendors a brief advance notice on some of the first issues
    discovered. I cannot, at this time, provide a full list of individual
    flaws and their ultimate impact. The above set of examples is most
    certainly incomplete.

    Consider this post a notice of a problem, and an invitation to identify
    specific issues; it is by no means comprehensive or definite. Feel
    free to check browsers - Safari comes to mind.

    6) Pointless rants

    It appears that the overall quality of code, and more importantly, the
    amount of QA, on various browsers touted as "secure", is not up to par
    with MSIE; the type of a test I performed requires no human interaction
    and involves nearly no effort. Only MSIE appears to be able to
    consistently handle[*] malformed input well, suggesting this is the
    only program that underwent rudimentary security QA testing with a
    similar fuzz utility.

    This is of course not to say MSIE is more secure; it does have a number
    of problems, mostly related to its security architecture and various
    features absent in other browsers. But the quality of core code appears
    to be far better than of its "secure" competitors.
    [*] Over the course of about 2 hours; I cannot rule out it would
    exhibit problems in a longer run.

    On a side note: as one could expect, feeding an URL to the aforementioned CGI script to most online HTML validators, converters, translators and other tools of this nature results in various amusing if spectacular problems and crashes.

    Side note #2: if your computer finds a problem using this tool and you sell the finding to iDefense... well, that's cheating
    IE does have a redeeming feature......
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Senior Member
    Join Date
    Nov 2001
    Interesting. It works on FF PR1.0:
    $ /usr/local/firefox/firefox
    /usr/local/firefox/run-mozilla.sh: line 451:  1547 Segmentation fault      "$prog" ${1+"$@"}
    I wonder how many of those pundits that were claiming moving to FF was the best thing since sliced bread are going to reconsider?

    Actually, on second thought, probably none, because in at least firefox's case, they'll get it fixed in a couple of days (maybe sooner) and it will be a non-issue, they'll just tell everyone to upgrade.
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts