Browser lock-up prevention
|
Apr. 27, 2006, 07:32 AM
Post: #1
|
|||
|
|||
Browser lock-up prevention
I am having a problem with an exploit which locks up not only IE, but also Firefox. I was trying to write a filter to remove nested objects without end tags, but I cannot get it to work. The sample exploit is at: http://lcamtuf.coredump.cx/iedie2-2.html
This is what I wrote so far: Code: [Patterns] |
|||
Apr. 28, 2006, 02:59 AM
Post: #2
|
|||
|
|||
Siamesecat;
Are your limits set too low? Oddysey I'm no longer in the rat race - the rats won't have me! |
|||
Apr. 28, 2006, 04:59 AM
Post: #3
|
|||
|
|||
Re: Browser lock-up prevention
Siamesecat Wrote:You didn't allow for anything between some <object> tags, the $SET() $TST() method doesn't do what you want, and ^ is tricky. Your expression is essentially (<object>*<object>)+{4,*} which would match <object>1<object><object>2<object><object>3<object><object>4<object> but not <object>1<object>a<object>2<object>b<object>3<object>c<object>4<object> You didn't account for a,b, and c. $SET() $TST(), test Code: [Patterns] Code: aba As for ^, test Code: [Patterns] Code: <OBJECT></OBJECT><OBJECT> I assume you want to remove code with many opening tags but no closing. Like Code: <OBJECT></OBJECT><X>Bork</X> Try something like Code: [Patterns] HTH |
|||
Apr. 28, 2006, 07:41 AM
Post: #4
|
|||
|
|||
Oddysey,
Quote:Are your limits set too low?I tried increasing the byte limit, but there is no match at all. Because the filter is not using any bounds, once it found at least 4 object tags without any end tags, it should have matched if I had set it up correctly. |
|||
Apr. 28, 2006, 08:14 AM
Post: #5
|
|||
|
|||
JJoe,
I see what you mean about that code being tricky. I got a variation of your suggestion to work on that exploit page. I'm happy; thanks very much. Code: Match = "<object>(*<object>)+{4,*}&(^*</object>)" |
|||
Apr. 28, 2006, 04:13 PM
Post: #6
|
|||
|
|||
I think ^ trips up many people.
Code: <OBJECT></OBJECT><OBJECT> Code: Match = "<object>\1(^</object>)\2<object>" Proxomitron then finds </object> *but* there is a wildcard. Proxomitron fills \1 with < and looks again for </object>. /object> isn't </object> so \2 is set to /object> and the expression matches... More fun Code: [Patterns] Code: [Patterns] Code: [Patterns] Same test code Code: <OBJECT></OBJECT><OBJECT> Regarding $SET() $TST() You could use letter variables Code: [Patterns] Test against Code: aba Have fun |
|||
Apr. 29, 2006, 07:37 AM
Post: #7
|
|||
|
|||
JJoe,
Your suggested filter pointed me in the right direction. This page has 4 links to exploit pages, and I managed to get the filter fixed to prevent all 4 from locking up Firefox (though 3 of them still take longer than usual to load). http://seclists.org/lists/fulldisclosure.../0613.html My final result: Code: [Patterns] |
|||
« Next Oldest | Next Newest »
|