[Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ
snort at ...3751...
Fri Sep 6 13:30:58 EDT 2013
Working on a pcap capture right now. On an older mac, with Safari 5.0.6, nothing crashes on me, however I need to verify that I meet the vulnerability conditions. I will test on a newer mac.
From: Jeremy Hoel<mailto:jthoel at ...2420...>
Sent: 9/6/2013 8:15 PM
To: L0rd Ch0de1m0rt<mailto:l0rdch0de1m0rt at ...2420...>
Cc: Y M<mailto:snort at ...3751...>; snort-sigs at lists.sourceforge.net<mailto:snort-sigs at lists.sourceforge.net>
Subject: Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ
On the list of for ET rules, this is also listed as a reference -
On Fri, Sep 6, 2013 at 5:02 PM, L0rd Ch0de1m0rt
<l0rdch0de1m0rt at ...2420...> wrote:
> Hello. Y M. Thank you very much for the input. Sorry for not including
> this link:
> It isn't a tool causing this, just a mis-handling by Webkit of this string.
> I am not fully understanding why (probably related more to how the Webkit
> handles the characters/bytes rather than what they actually represents).
> I'm not sure if and how the bytes need to be in a certain order. For
> ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ
> ^^ will that cause an issue?
> Or does it have to be the full thing:
> سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ
> Lord C.
> On Fri, Sep 6, 2013 at 12:53 PM, Y M <snort at ...3751...> wrote:
>> Can you provide more information on the DOS? What tool is generating this?
>> And against what? Any reference or pcap?
>> The text is in Arabic, though its contains some malformed Arabic
>> characters. The top level characters are used to control pronunciation of
>> words. Again, some of them are malformed. And some of them are wrongly used;
>> if I am reading it write (see below).
>> I am not sure if it is a coincidence, but the word
>> Means highness; but the top level character in the middle is mistakenly
>> used in the context of the word. The other word:
>> Means Emirati; translated as an Emirate citizen. Although the word spelled
>> wrong based on the official written Arabic language - I have seen people
>> writing it this way.
>> Some other letters are valid but their construction as a word does not
>> mean anything such و، ح، خ
>> The rest are symbols not used/related to Arabic.
>> Hope this helps. May be if there is more information I can help better.
>> From: L0rd Ch0de1m0rt
>> Sent: 9/6/2013 7:34 PM
>> To: snort-sigs at lists.sourceforge.net
>> Subject: Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ
>> امارتيخ ̷̴̐خ
>> Hello. Whoops, I accidentily sent the last email early (still getting
>> used to the new GMAIL interface and hit the wrong key-board combination for
>> my new key-board layout). Anyway, here is the string:
>> سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ
>> Does anyone know why this happens and what other combination or
>> sub-strings can be used to exploit this? I ask so that we can make a SNORT
>> rule for it. From my reading this is DoS and no RCE or BO that is known of.
>> Lord C.
>> On Fri, Sep 6, 2013 at 12:27 PM, L0rd Ch0de1m0rt
>> <l0rdch0de1m0rt at ...2420...> wrote:
>> Hello. I saw something recently that showed that this Arabic string can
>> DoS Webkit programs:
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Snort-sigs