Month of Browser Bugs
Ove the last few months, I have taken an interest in web browser security flaws. This interest has resulted in my collaboration on a few fuzzing tools (Hamachi, CSS-Die, DOM-Hanoi), a blog post, and a SecurityFocus article. The vendors have been notified and the time has come to start publishing the results. I will publish one new vulnerability each day during the month of July as part of the Month of Browser Bugs project. This information is being published to create awareness about the types of bugs that plague modern browsers and to demonstrate the techniques I used to discover them. Enjoy!
posted by hdm at 9:56 AM
24 Comments:
Why not release one bug on the second Tuesday of each month? Then the bugs would last at least two and a half years. ;)
Looking forward to an interesting month.
We could probably release one a day for the next two and a half years without running out of bugs :-)
Are they restricted to just the two main browsers (IE and FF) or do they run the whole spectrum of browsers (conqueror, opera, etc)?
-JP
We are starting off with Internet Explorer bugs, but we have a handful of Firefox, Safari, Konqueror, and Opera bugs as well.
It would be better if you publish a metasploit plugin with each exploitable vulnerability :-)
Safari bugs? Even one of my production websites crashes Safari.
Head on over to http://mapwow.com and click on "Show Herbs" and then select an herb. Boom!
Not on this Safari (2.0.4, build 419.3, on OS X 10.4.7). But that said Safari has a number of bugs of inconsistencies...
... not that that should surprise anyone, Browsers having grown into terribly complex beasts.
d.
hdm, did you file those bugs to Firefox (bugzilla)?
Which bugs are they?
I wonder if one could build an auto-blog function into browser fuzzing tools.
That would be evil. He he.
Interesting blog.. :)
hdm, allow execute arbitrarie code the bugs that you published ?
HD, I'm curious what you mean when you say vendors have been notified. Do you mean you told them that you'd be doing this, or gave them copies of the sploits?
I'm curious which vendors out of your list are so irresponsible that dropping 0day on them will encourage them to behave better.
In most cases, vulnerability details were provided to the vendor prior to being included in the blog. If the bug doesn't lead to code execution, I consider it fair game regardless of whether the vendor has been notified. I don't expect this blog to encourage vendors to be more responsible, but I do hope it will educate users about the types of problems affecting modern browsers.
I know you're leet, but are you leet enough that you never make mistakes about code execution?
Haha :-) I would LOVE to be mistaken about code execution with these bugs. One the great things about full disclosure is the input you receive the community. Just because I gave up on a bug doesn't mean someone else won't find a way to turn it into an exploit. For every bug that has been posted to the MoBB blog so far, at least two others have been disclosed in the comments or in private email.
HD, since most of the IE bugs shown so far are activeX related, it would be interesting to know if a bug has been discovered that allows activeX controls to run in IE without prompting the user.
It really depends on your browser and configuration. All of the ActiveX examples I have posted have not required interaction on the part of the user to exploit [... on my browser, which is default settings of IE 6 on XP SP2].
Had an interesting thing happen yesterday. I opened a VOIP voice mail wave file, and closed it immediately after opening it. It crashed my entire system and I had to perform a hard boot to recover. I have tried to duplicate it 50 times since without any success. As you are looking for bugs, that seems to be a fairly bad one.
how can i learn write metasploit's exploit ?
do you know that I found a link to this page on us-cert.gov. You are being watched by the man!!
drew the reason your "production" website crashes Safari is likely because of your sloppy coding there is a a lot of errors on page due to non-compliant page code check it against W3C standards and you'll see using http://validator.w3.org
Failed validation, 134 errors
for main page ouch. No offense but I suggest you try some HTML tidy.
Then after you fix the code I bet you won't crash anymore browsers, well unless you use some intentional sploit code. =p
Peace.... ;-)
Question, hdm...
Are these exploits being found by
code examination via interactive
disassembly of the various browsers,
locating "problem child" areas :^),
or are we talking about client-side
Java/Javascript/ActiveX/php holes that allow someone to eventually get
administrative/root-level access?
National Enquirering minds would
like to know! :^)
Most of these bugs were found using fuzzer tools. Look for one bug, figure out how to find the same bug across all components that do the same thing...
Yeah, it will be very interesting to me to learn more about Safari bugs. And Opera too.
Post a Comment
Links to this post:
Create a Link
<< Home