Post Reply 
Browser lock-up prevention
Apr. 27, 2006, 07:32 AM
Post: #1
Browser lock-up prevention
I am having a problem with an exploit which locks up not only IE, but also Firefox. I was trying to write a filter to remove nested objects without end tags, but I cannot get it to work. The sample exploit is at: http://lcamtuf.coredump.cx/iedie2-2.html
This is what I wrote so far:
Code:
[Patterns]
Name = "Remove nested Objects without end tags"
Active = TRUE
Limit = 256
Match = "$SET(3=</object>)(<object>*(^$TST(\3))*<object>)+{4,*}"
What did I do wrong?
Add Thank You Quote this message in a reply
Apr. 28, 2006, 02:59 AM
Post: #2
 
Siamesecat;

Are your limits set too low?


Oddysey

I'm no longer in the rat race - the rats won't have me!
Add Thank You Quote this message in a reply
Apr. 28, 2006, 04:59 AM
Post: #3
Re: Browser lock-up prevention
Siamesecat Wrote:
Code:
[Patterns]
Name = "Remove nested Objects without end tags"
Active = TRUE
Limit = 256
Match = "$SET(3=</object>)(<object>*(^$TST(\3))*<object>)+{4,*}"
What did I do wrong?
You didn't allow for anything between some <object> tags,
the $SET() $TST() method doesn't do what you want,
and ^ is tricky.

Your expression is essentially (<object>*<object>)+{4,*} which would match
<object>1<object><object>2<object><object>3<object><object>4<object>
but not
<object>1<object>a<object>2<object>b<object>3<object>c<object>4<object>
You didn't account for a,b, and c.

$SET() $TST(), test
Code:
[Patterns]
Name = "Test $SET $TST method"
Active = FALSE
Limit = 256
Match = "$SET(3=a)??$TST(\3)$SET(1=Top matched)"
        "|"
        "(?)\3?$TST(\3)$SET(1=Bottom matched)"
Replace = "\1"
against
Code:
aba

As for ^, test
Code:
[Patterns]
Name = "Tricky ^"
Active = FALSE
Limit = 256
Match = "<object>\1(^</object>)\2<object>"
Replace = "\\1 is \1\r\n"
          "\\2 is \2"
against
Code:
<OBJECT></OBJECT><OBJECT>

I assume you want to remove code with many opening tags but no closing.
Like
Code:
<OBJECT></OBJECT><X>Bork</X>
<STYLE></STYLE>
<OBJECT>
Bork
<STYLE></STYLE>
<OBJECT>
Bork
<STYLE></STYLE>
<OBJECT>
Bork
<STYLE></STYLE>
<OBJECT>
Bork
<STYLE></STYLE>
<OBJECT>
Bork
<STYLE></STYLE>
<OBJECT>
Bork

Try something like
Code:
[Patterns]
Name = "Remove nested Objects without end tags"
Active = FALSE
Limit = 256
Match = "<object>(*<object>)+{4,*}&&(^*</object>)*"

HTH
Add Thank You Quote this message in a reply
Apr. 28, 2006, 07:41 AM
Post: #4
 
Oddysey,
Quote:Are your limits set too low?
I tried increasing the byte limit, but there is no match at all. Because the filter is not using any bounds, once it found at least 4 object tags without any end tags, it should have matched if I had set it up correctly.
Add Thank You Quote this message in a reply
Apr. 28, 2006, 08:14 AM
Post: #5
 
JJoe,
I see what you mean about that code being tricky. I got a variation of your suggestion to work on that exploit page. I'm happy; thanks very much.
Code:
Match = "<object>(*<object>)+{4,*}&(^*</object>)"
Add Thank You Quote this message in a reply
Apr. 28, 2006, 04:13 PM
Post: #6
 
I think ^ trips up many people.

Code:
<OBJECT></OBJECT><OBJECT>
Code:
Match = "<object>\1(^</object>)\2<object>"
Proxomitron matches and consumes <object>
Proxomitron then finds </object> *but* there is a wildcard.
Proxomitron fills \1 with < and looks again for </object>.
/object> isn't </object> so \2 is set to /object>
and the expression matches...

More fun
Code:
[Patterns]
Name = "Tricky ^ part 2"
Active = FALSE
Limit = 256
Match = "<object>\1(^</object>)<object>"
Replace = "\\1 is \1\r\n"

Code:
[Patterns]
Name = "Tricky ^ part 3"
Active = FALSE
Limit = 256
Match = "<object>(^</object>)\2<object>"
Replace = "\\2 is \2"

Code:
[Patterns]
Name = "Tricky ^ part 4"
Active = FALSE
Limit = 256
Match = "<object>\1(^<object>)"
Replace = "\\1 is \1\r\n"

Same test code
Code:
<OBJECT></OBJECT><OBJECT>

Regarding $SET() $TST()
You could use letter variables
Code:
[Patterns]
Name = "Test $SET $TST method II"
Active = FALSE
Limit = 256
Match = "$SET(c=a)??$TST(c)"
But $SET() and $TST() will probably slow things down.
Test against
Code:
aba

Have fun
Add Thank You Quote this message in a reply
Apr. 29, 2006, 07:37 AM
Post: #7
 
JJoe,
Your suggested filter pointed me in the right direction. This page has 4 links to exploit pages, and I managed to get the filter fixed to prevent all 4 from locking up Firefox (though 3 of them still take longer than usual to load).
http://seclists.org/lists/fulldisclosure.../0613.html
My final result:
Code:
[Patterns]
Name = "Remove nested Objects without end tags"
Active = TRUE
Limit = 1200
Match = "<object (*<object )+{3,*}&(^*</object>)"
Add Thank You Quote this message in a reply
Post Reply 


Forum Jump: