[Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...2420...
Fri Sep 6 13:02:06 EDT 2013

Hello. Y M.  Thank you very much for the input.  Sorry for not including
this link:


It isn't a tool causing this, just a mis-handling by Webkit of this
string.  I am not fully understanding why (probably related more to how the
Webkit handles the characters/bytes rather than what they actually

I'm not sure if and how the bytes need to be in a certain order.  For

̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ

^^ will that cause an issue?



Or does it have to be the full thing:

سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ


Lord C.

On Fri, Sep 6, 2013 at 12:53 PM, Y M <snort at ...3751...> wrote:

>  Can you provide more information on the DOS? What tool is generating
> this? And against what? Any reference or pcap?
> The text is in Arabic, though its contains some malformed Arabic
> characters. The top level characters are used to control pronunciation of
> words. Again, some of them are malformed. And some of them are wrongly
> used; if I am reading it write (see below).
> I am not sure if it is a coincidence, but the word
> سمَّوُ
>  Means highness; but the top level character in the middle is mistakenly
> used in the context of the word. The other word:
> امارتي
>  Means Emirati; translated as an Emirate citizen. Although the word
> spelled wrong based on the official written Arabic language - I have seen
> people writing it this way.
> Some other letters are valid but their construction as a word does not
> mean anything such و، ح، خ
> The rest are symbols not used/related to Arabic.
> Hope this helps. May be if there is more information I can help better.
> Thanks.
>   ------------------------------
> From: L0rd Ch0de1m0rt <l0rdch0de1m0rt at ...2420...>
> Sent: ‎9/‎6/‎2013 7:34 PM
> To: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ
> امارتيخ ̷̴̐خ
>    Hello.  Whoops, I accidentily sent the last email early (still getting
> used to the new GMAIL interface and hit the wrong key-board combination for
> my new key-board layout).  Anyway, here is the string:
>  سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ
>  Does anyone know why this happens and what other combination or
> sub-strings can be used to exploit this? I ask so that we can make a SNORT
> rule for it.  From my reading this is DoS and no RCE or BO that is known of.
>  Thanks.
>  Lord C.
> On Fri, Sep 6, 2013 at 12:27 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt at ...3422.....
> > wrote:
> Hello.  I saw something recently that showed that this Arabic string can
> DoS Webkit programs:
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130906/40b241f1/attachment.html>

More information about the Snort-sigs mailing list