CSIS Security Advisory [CSIS2004-5):

Rendering binary file as HTML makes Mozilla Firefox stop responding or crash

Date Published: 10.25.2004

Summary
Mozilla Firefox, Web-browser built for 2004, advanced e-mail and newsgroup
client, IRC chat client, and HTML editing made simple. The Mozilla Firefox
shippes with several bugs, making it possible to crash the browser, eat up
virtual memory, simply by hosting a binary renamed as html, on a remote
website.

Vulnerability Class
The browser should remain responsive while displaying large files. Instead
it crashes and hangs and feeds on virtual memory which could cause the
operating system to become unstable.

Details
Internet Explorer, and other browsers, verifies the content of filetypes
before opening in the browser. Based on the content of the file, it decides
what application should be used to open/view the content of the file. This
is, by design, not the case with Mozilla based browsers. A malicious website
can host a large chunck of data, spoofed as a html file that Mozilla will
display within the browser window. Thereby effectively causing a crash on
systems visiting the website.

You can choose any file from your harddisk larger than 5MB, rename it as a
html file, upload it to a remote website, or simply open it directly from
your local harddrive. The result is the same: Mozilla will stop responding,
showing a lot of binary garbage (clearly understandable), before the user is
forced to either end the application or reboot the system.

In several test scenarios the system force feed all virtual memory causing
the system to become unstable. However, this all depends on the size of the
file viewed by the browser. To avoid the user from being suspicious while
the file loads and garbage is showed in the browser window you can format
the website in such a way, that binary code won't show. This way the browser
will show a blank page until it crashes and the system becomes unstable.
When viewed, the browser will load the binary without the users knowledge.
The fact that this bug can be trigged by sending the same file with 1024
ASCII characters pre-pended makes exploitation trivial.

Impact
Low-Medium: This is a remote DoS in Mozilla Firefox. There are several other
ways to crash the browser.

This behavior was confirmed with Mozilla/5.0 (Windows; U; Windows NT 5.1;
rv:1.7.3) Gecko/20040913 Firefox/0.10, but my guess is that all versions of
Mozilla introduce the problem.

Solution
Awaiting fix

Affected Products
Mozilla/5.0 Gecko/20040913 Firefox/0.10 and prior

----
Med venlig hilsen // Kind regards

Peter Kruse,
Security- and virusanalyst,
CSIS, Combined Services & Integrated Solutions
https://www.csis.dk

PGP fingerprint
79FD 0648 158E 6B9E 236F  CFDA 7C58 64D6 BE83 FA60