Chrome Browser vulnerable to Billion Laugh DoS Attack
Reported by
sandeep....@gmail.com,
Apr 12 2016
|
||||||||||
Issue descriptionUserAgent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/49.0.2623.112 Safari/537.36 Steps to reproduce the problem: 1. Open attached test.xml in chrome on Winodws OS 2. Monitor memory(Private Working Set) & CPU usage in task manager Not: Test.xml can be hosted on a website as well and then accessed in chrome using the address bar What is the expected behavior? Input XML should be validated and chrome should behave normally when such input is provided to it What went wrong? Continuous increase in memory(Private Working Set) being consumed by Chrome along with high CPU usage Eventually this would eat up all the system memory resulting in DoS Did this work before? N/A Chrome version: 49.0.2623.112 Channel: stable OS Version: 6.1 (Windows 7, Windows Server 2008 R2) Flash Version: Shockwave Flash 21.0 r0 More about vulnerability: http://blog.ioactive.com/2014/11/die-laughing-from-billion-laughs.html https://en.wikipedia.org/wiki/Billion_laughs This could be avoided using DtdProcessing.Prohibit; More Details could be read here: https://msdn.microsoft.com/en-us/magazine/ee335713.aspx
,
Apr 12 2016
Mozilla Firefox handles this well with below message: XML Parsing Error: recursive entity reference
,
Apr 12 2016
Internet Explorer behaves stably without causing increase in memory usage. Addition Details on Chrome: After some time with the billion laugh xml open, chrome becomes unresponsive with propmt to kill the tab
,
Apr 12 2016
Thanks for your report. We track browser DoS as a functional bug, rather than a security issue per-se. Removing restrictions.
,
Apr 13 2016
==================================== Good Build: 47.0.2505.0 Base Position: 347815 Bad Build: 47.0.2506.0 Base Position: 348053 ===================================== Able to repro this issue on Windows 7, MAC (10.11.4) & Ubuntu Trusty (14.04) for the Google Chrome Stable Version - 49.0.2623.112 This is a regression issue broken in M47, below mentioned is the bisect info: CHANGELOG URL: https://chromium.googlesource.com/chromium/src/+log/3903f745bb79ac3045688557be9d51b142b29a25..0c2036dbfa8177857e0df81de7a4bb34023300b5 https://chromium.googlesource.com/chromium/blink/+log/62591a8..a939e61 https://chromium.googlesource.com/chromium/blink/+/a939e6184a192e91b0088052269554c8866dacad Suspecting Commit: a939e6184a192e91b0088052269554c8866dacad Review URL: https://codereview.chromium.org/1316673007 @scottmg: Could you please look into the issue, and if it has nothing to do with your changes and if possible please do assign it to the concerned owner. Thank you.
,
Apr 13 2016
I'm not sure if there's anything do to here. I gather this is just `while(1) x+='a';` (?) which I'm sure there are many ways to do in xml/xslt.
,
Apr 14 2016
Thank you for filing this well-written bug report. We actually get billion laughs reported from time to time; our fuzzer ClusterFuzz discovers it occasionally too. So from that point of view it would be nice to fix. On the other hand, billion laughs is annoying at most. It basically exhausts memory (slowly) and there are lots of ways to do that in the web platform. Details: This is not recursive in the sense that any of these entities refer to themselves. The're just entities that expand to exponentially large content. libxml detects recursive entities, which you can see with this URL: data:text/xml,<?xml version="1.0"?><!DOCTYPE echo [<!ENTITY hi "hello &hi;">]><greeting>&hi;</greeting> We can't use DtdProcessing.Prohibit to mitigate this, because Chrome uses libxml for parsing XML and DtdProcessing.Prohibit is a .NET XML parser thing. I think libxml has some heuristics for preventing billion laughs, if you search the codebase for XML_PARSER_LOT_ENTITY and XML_PARSER_NON_LINEAR. I have not studied in detail why they are not effective here.
,
Apr 18 2016
Thanks for acknowledging the DoS issue. Would you be allotting a CVE-ID for this defect? Considering that similar DOS attacks already have CVE-Ids: https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-1821 The CVSS for this issue based on my understanding is defined below: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L/E:P/RC:R
,
Apr 18 2016
I doubt that--this doesn't really deny service. I will label this as a security bug; someone on the security team can comment definitively.
,
Apr 19 2016
Attached is the Video the flow along with showing crash and continuous memory rise in chrome.exe.
,
Jun 6 2016
Issue 616444 has been merged into this issue.
,
Jul 12 2016
616444 is not visible to me
,
Jul 15 2016
It's the same bug--use entities to make an XML file that takes exponential resources to process. |
||||||||||
►
Sign in to add a comment |
||||||||||
Comment 1 by sandeep....@gmail.com
, Apr 12 2016853 bytes
853 bytes View Download