[2008-07-23] Firefox 2,3 url handling memory consumption DOS


Mozilla Firefox 2 and 3 are prone to a remote denial of service attack because it fails to properly handle overly long url's in the form of www.[100000+ x 'a'].com.An example will be <a href="http://www.a.a.a.a.a....[100000+].com/">test</a> or just pasting that url in the address bar(yes firefox accepts such a thing).Ofcourse there are several ways an url of this form could be formed.Putting only dots instead of '.a' works just fine.When following such a link Firefox will start eating up some nice cpu and after that will start consuming large amounts memory(ram).Eventually it will run out of memory and it will crash(not always though,it will just hang at some point).If somehow the memory consumption doesn't occur after the cpu phaze and firefox seems to have recovered then just trying to browse to some other page or interact with firefox will start the memory consumption process(large amounts of ram consumption cand lead to system instabillity).Making the url 700000+ long the cpu consumption phaze could be considered itself a dos attack but since it will end after a few minutes or hours :D depending on the cpu i will be considering that firefox is conducting some legitimate processing of the url.But the memory amounts consumed are to big to be considered legitimate so there is no doubt that there is some sort of a bug(vulnerability) in the code or in the logic of that part of the code.All of this makes firefox not responding(hanging),thus leading to a denial of service attack.A malicious website can host a page including such an url,thereby causing a remote denial of service attack on systems visiting the website.
Tested on Firefox and 3.0.1 under Windows XP,Vista,Linux(Backtrack :P).

POC/Exploit code   [.html]

The following proof of concept html page has been provided firefox.html

Other references

Milw0rm :

Securityfocus :