browser-bug.txt

2000-03-26T00:00:00
ID PACKETSTORM:16962
Type packetstorm
Reporter SET-FW
Modified 2000-03-26T00:00:00

Description

                                        
                                            `  
SET <set-fw@bigfoot.com>  
March 2000 http://www.set-ezine.org  
  
  
---[ CONTENTS ]---  
  
- 01 - Introduction  
- 02 - Oddities  
- 03 - Conclusions  
  
  
Introduction  
=-=-=-=-=-=-  
  
  
Browsers under Linux will hang when trying to access certain devices, this  
bug may be considered similar to the \con\con bug except that the   
technological superiority of Linux will prevent a system crash.  
Examples have been tested under different versions of Lynx and Netscape,  
sometimes the behaviour of the browser differ.  
The bug was originally reported by Fuska in a message posted in the  
SET forum.  
Original message URL:  
http://www.coolboard.com/msgshow.cfm/msgboard=377408526880083&msg=571161262892011&page=1&idDispSub=63896961854800  
  
  
Some of the devices that will make a browser hang are  
/dev/tty*  
/dev/cua*  
/dev/std*  
/dev/egp  
/dev/ggp  
/dev/inet/*  
/dev/initctl  
  
You could embed this bug in a test page in the form:  
<a href="file:/dev/tty1"> Surprise </A>  
  
As you might imagine there are some secondary effects like losing the  
control of your keyboard for some seconds, etc and of course (needless  
to say) you can't open a file you haven't permissions for.  
  
If you don't want to wait for someone to follow a link you can make  
the process quicker by using this mini-page or some variation.  
  
<html>  
<body onload=window.open('file:/dev/stderr')>  
</body>  
</html>  
  
Hangs Netscape (with javascript enabled)   
  
  
We have put a small test page on-line:  
http://www.set-ezine.org/browser-test.html  
  
  
Oddities  
=-=-=-=-  
  
Trying to open /dev/mouse will have the effect of freezing the mouse,  
you won't be returned control until the page load is halted.  
With /dev/ftape you will have some minutes of fun seeing your fd drive  
going crazy but perhaps you should buy a new one after the show is over  
(this hasn't been thoroughly tested), note that this can be induced  
remotely with a simple link or auto-magically.  
  
There are plenty of devices that will act 'funny' when called this way,  
after playing for some time you should check how many modules you have  
loaded, it's possible that a remote site could make a html page to   
load some kernel modules in your machine, trying to guess if you are  
hosting any popular trojan module or with a more dangerous idea.  
An example could be using /dev/audio or /dev/ptmx as the target file.  
Watching syslog output you'll see that some modules "refuse" to die  
and keep scanning for devices.  
  
  
  
Conclusions  
=-=-=-=-=-=  
  
This text is not intended to cause 'alarm', although sometimes the effects  
of accesing devices can be annoying most of the time they can be limited  
by a mid-experienced user anyway the ability of crashing a browser or  
loading modules remotely without your consent isn't clearly what you   
would want.  
Finally we want to remind that Fuska was the person who give us the  
first notice about this bug.  
  
  
Feel free to copy and distribute.  
  
SET (c) 2000 . http://www.set-ezine.org  
  
  
`