[Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ

L0rd Ch0de1m0rt l0rdch0de1m0rt at ...2420...
Fri Sep 6 13:10:34 EDT 2013


سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ

^^ also the string is read right-to-left so there may be issues like I had
with copy and paste and how the text rendering client deals with the
font/character encodings.

If you say it is mixed character encodings (different symbols from
different languages), you could be on to something here.

Thanks Y M again!

Lord C.


On Fri, Sep 6, 2013 at 1:02 PM, L0rd Ch0de1m0rt <l0rdch0de1m0rt at ...2420...>wrote:

> Hello. Y M.  Thank you very much for the input.  Sorry for not including
> this link:
>
>
> http://arstechnica.com/apple/2013/08/rendering-bug-crashes-os-x-and-ios-apps-with-string-of-arabic-characters/
>
> It isn't a tool causing this, just a mis-handling by Webkit of this
> string.  I am not fully understanding why (probably related more to how the
> Webkit handles the characters/bytes rather than what they actually
> represents).
>
> I'm not sure if and how the bytes need to be in a certain order.  For
> example:
>
> ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ
>
> ^^ will that cause an issue?
>
> or:
>
> سمَـَّوُوُح
>
> Or does it have to be the full thing:
>
>
> سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ
>
> Thanks.
>
> Lord C.
>
>
> On Fri, Sep 6, 2013 at 12:53 PM, Y M <snort at ...3751...> wrote:
>
>>  Can you provide more information on the DOS? What tool is generating
>> this? And against what? Any reference or pcap?
>>
>> The text is in Arabic, though its contains some malformed Arabic
>> characters. The top level characters are used to control pronunciation of
>> words. Again, some of them are malformed. And some of them are wrongly
>> used; if I am reading it write (see below).
>>
>> I am not sure if it is a coincidence, but the word
>> سمَّوُ
>>  Means highness; but the top level character in the middle is mistakenly
>> used in the context of the word. The other word:
>> امارتي
>>  Means Emirati; translated as an Emirate citizen. Although the word
>> spelled wrong based on the official written Arabic language - I have seen
>> people writing it this way.
>>
>> Some other letters are valid but their construction as a word does not
>> mean anything such و، ح، خ
>>
>> The rest are symbols not used/related to Arabic.
>>
>> Hope this helps. May be if there is more information I can help better.
>>
>> Thanks.
>>
>>   ------------------------------
>> From: L0rd Ch0de1m0rt <l0rdch0de1m0rt at ...2420...>
>> Sent: ‎9/‎6/‎2013 7:34 PM
>> To: snort-sigs at lists.sourceforge.net
>> Subject: Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ
>> امارتيخ ̷̴̐خ
>>
>>    Hello.  Whoops, I accidentily sent the last email early (still
>> getting used to the new GMAIL interface and hit the wrong key-board
>> combination for my new key-board layout).  Anyway, here is the string:
>>
>>  سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ
>>
>>
>>  Does anyone know why this happens and what other combination or
>> sub-strings can be used to exploit this? I ask so that we can make a SNORT
>> rule for it.  From my reading this is DoS and no RCE or BO that is known of.
>>
>>  Thanks.
>>
>>  Lord C.
>>
>>
>> On Fri, Sep 6, 2013 at 12:27 PM, L0rd Ch0de1m0rt <
>> l0rdch0de1m0rt at ...2420...> wrote:
>>
>> Hello.  I saw something recently that showed that this Arabic string can
>> DoS Webkit programs:
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130906/617215da/attachment.html>


More information about the Snort-sigs mailing list