[Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ
l0rdch0de1m0rt at ...2420...
Fri Sep 6 13:02:06 EDT 2013
Hello. Y M. Thank you very much for the input. Sorry for not including
It isn't a tool causing this, just a mis-handling by Webkit of this
string. I am not fully understanding why (probably related more to how the
Webkit handles the characters/bytes rather than what they actually
I'm not sure if and how the bytes need to be in a certain order. For
̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ
^^ will that cause an issue?
Or does it have to be the full thing:
سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ
On Fri, Sep 6, 2013 at 12:53 PM, Y M <snort at ...3751...> wrote:
> Can you provide more information on the DOS? What tool is generating
> this? And against what? Any reference or pcap?
> The text is in Arabic, though its contains some malformed Arabic
> characters. The top level characters are used to control pronunciation of
> words. Again, some of them are malformed. And some of them are wrongly
> used; if I am reading it write (see below).
> I am not sure if it is a coincidence, but the word
> Means highness; but the top level character in the middle is mistakenly
> used in the context of the word. The other word:
> Means Emirati; translated as an Emirate citizen. Although the word
> spelled wrong based on the official written Arabic language - I have seen
> people writing it this way.
> Some other letters are valid but their construction as a word does not
> mean anything such و، ح، خ
> The rest are symbols not used/related to Arabic.
> Hope this helps. May be if there is more information I can help better.
> From: L0rd Ch0de1m0rt <l0rdch0de1m0rt at ...2420...>
> Sent: 9/6/2013 7:34 PM
> To: snort-sigs at lists.sourceforge.net
> Subject: Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ
> امارتيخ ̷̴̐خ
> Hello. Whoops, I accidentily sent the last email early (still getting
> used to the new GMAIL interface and hit the wrong key-board combination for
> my new key-board layout). Anyway, here is the string:
> سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ
> Does anyone know why this happens and what other combination or
> sub-strings can be used to exploit this? I ask so that we can make a SNORT
> rule for it. From my reading this is DoS and no RCE or BO that is known of.
> Lord C.
> On Fri, Sep 6, 2013 at 12:27 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt at ...3422.....
> > wrote:
> Hello. I saw something recently that showed that this Arabic string can
> DoS Webkit programs:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs