[Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...2420...
Fri Sep 6 13:02:06 EDT 2013


Hello. Y M.  Thank you very much for the input.  Sorry for not including
this link:

http://arstechnica.com/apple/2013/08/rendering-bug-crashes-os-x-and-ios-apps-with-string-of-arabic-characters/

It isn't a tool causing this, just a mis-handling by Webkit of this
string.  I am not fully understanding why (probably related more to how the
Webkit handles the characters/bytes rather than what they actually
represents).

I'm not sure if and how the bytes need to be in a certain order.  For
example:

̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ

^^ will that cause an issue?

or:

سمَـَّوُوُح

Or does it have to be the full thing:

سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ

Thanks.

Lord C.


On Fri, Sep 6, 2013 at 12:53 PM, Y M <snort at ...3751...> wrote:

>  Can you provide more information on the DOS? What tool is generating
> this? And against what? Any reference or pcap?
>
> The text is in Arabic, though its contains some malformed Arabic
> characters. The top level characters are used to control pronunciation of
> words. Again, some of them are malformed. And some of them are wrongly
> used; if I am reading it write (see below).
>
> I am not sure if it is a coincidence, but the word
> سمَّوُ
>  Means highness; but the top level character in the middle is mistakenly
> used in the context of the word. The other word:
> امارتي
>  Means Emirati; translated as an Emirate citizen. Although the word
> spelled wrong based on the official written Arabic language - I have seen
> people writing it this way.
>
> Some other letters are valid but their construction as a word does not
> mean anything such و، ح، خ
>
> The rest are symbols not used/related to Arabic.
>
> Hope this helps. May be if there is more information I can help better.
>
> Thanks.
>
>   ------------------------------
> From: L0rd Ch0de1m0rt <l0rdch0de1m0rt at ...2420...>
> Sent: ‎9/‎6/‎2013 7:34 PM
> To: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ
> امارتيخ ̷̴̐خ
>
>    Hello.  Whoops, I accidentily sent the last email early (still getting
> used to the new GMAIL interface and hit the wrong key-board combination for
> my new key-board layout).  Anyway, here is the string:
>
>  سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ
>
>
>  Does anyone know why this happens and what other combination or
> sub-strings can be used to exploit this? I ask so that we can make a SNORT
> rule for it.  From my reading this is DoS and no RCE or BO that is known of.
>
>  Thanks.
>
>  Lord C.
>
>
> On Fri, Sep 6, 2013 at 12:27 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt at ...3422.....
> > wrote:
>
> Hello.  I saw something recently that showed that this Arabic string can
> DoS Webkit programs:
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130906/40b241f1/attachment.html>


More information about the Snort-sigs mailing list