[Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ

Y M snort at ...3751...
Fri Sep 6 12:53:24 EDT 2013


Can you provide more information on the DOS? What tool is generating this? And against what? Any reference or pcap?

The text is in Arabic, though its contains some malformed Arabic characters. The top level characters are used to control pronunciation of words. Again, some of them are malformed. And some of them are wrongly used; if I am reading it write (see below).

I am not sure if it is a coincidence, but the word
سمَّوُ
Means highness; but the top level character in the middle is mistakenly used in the context of the word. The other word:
امارتي
Means Emirati; translated as an Emirate citizen. Although the word spelled wrong based on the official written Arabic language - I have seen people writing it this way.

Some other letters are valid but their construction as a word does not mean anything such و، ح، خ

The rest are symbols not used/related to Arabic.

Hope this helps. May be if there is more information I can help better.

Thanks.

________________________________
From: L0rd Ch0de1m0rt<mailto:l0rdch0de1m0rt at ...2420...>
Sent: ‎9/‎6/‎2013 7:34 PM
To: snort-sigs at lists.sourceforge.net<mailto:snort-sigs at ...3414...t>
Subject: Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ

Hello.  Whoops, I accidentily sent the last email early (still getting used
to the new GMAIL interface and hit the wrong key-board combination for my
new key-board layout).  Anyway, here is the string:

سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ


Does anyone know why this happens and what other combination or sub-strings
can be used to exploit this? I ask so that we can make a SNORT rule for
it.  From my reading this is DoS and no RCE or BO that is known of.

Thanks.

Lord C.


On Fri, Sep 6, 2013 at 12:27 PM, L0rd Ch0de1m0rt
<l0rdch0de1m0rt at ...2420...>wrote:

> Hello.  I saw something recently that showed that this Arabic string can
> DoS Webkit programs:
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130906/89cd8f69/attachment.html>
-------------- next part --------------
------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
-------------- next part --------------
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort!


More information about the Snort-sigs mailing list