[Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ

Y M snort at ...3751...
Fri Sep 6 13:30:58 EDT 2013


Working on a pcap capture right now. On an older mac, with Safari 5.0.6, nothing crashes on me, however I need to verify that I meet the vulnerability conditions. I will test on a newer mac.
________________________________
From: Jeremy Hoel<mailto:jthoel at ...2420...>
Sent: ‎9/‎6/‎2013 8:15 PM
To: L0rd Ch0de1m0rt<mailto:l0rdch0de1m0rt at ...2420...>
Cc: Y M<mailto:snort at ...3751...>; snort-sigs at lists.sourceforge.net<mailto:snort-sigs at lists.sourceforge.net>
Subject: Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ

On the list of for ET rules, this is also listed as a reference -
http://zhovner.com/tmp/killwebkit.html

On Fri, Sep 6, 2013 at 5:02 PM, L0rd Ch0de1m0rt
<l0rdch0de1m0rt at ...2420...> wrote:
> Hello. Y M.  Thank you very much for the input.  Sorry for not including
> this link:
>
> http://arstechnica.com/apple/2013/08/rendering-bug-crashes-os-x-and-ios-apps-with-string-of-arabic-characters/
>
> It isn't a tool causing this, just a mis-handling by Webkit of this string.
> I am not fully understanding why (probably related more to how the Webkit
> handles the characters/bytes rather than what they actually represents).
>
> I'm not sure if and how the bytes need to be in a certain order.  For
> example:
>
> ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ
>
> ^^ will that cause an issue?
>
> or:
>
> سمَـَّوُوُح
>
> Or does it have to be the full thing:
>
>
> سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ
>
> Thanks.
>
> Lord C.
>
>
> On Fri, Sep 6, 2013 at 12:53 PM, Y M <snort at ...3751...> wrote:
>>
>> Can you provide more information on the DOS? What tool is generating this?
>> And against what? Any reference or pcap?
>>
>> The text is in Arabic, though its contains some malformed Arabic
>> characters. The top level characters are used to control pronunciation of
>> words. Again, some of them are malformed. And some of them are wrongly used;
>> if I am reading it write (see below).
>>
>> I am not sure if it is a coincidence, but the word
>> سمَّوُ
>> Means highness; but the top level character in the middle is mistakenly
>> used in the context of the word. The other word:
>> امارتي
>> Means Emirati; translated as an Emirate citizen. Although the word spelled
>> wrong based on the official written Arabic language - I have seen people
>> writing it this way.
>>
>> Some other letters are valid but their construction as a word does not
>> mean anything such و، ح، خ
>>
>> The rest are symbols not used/related to Arabic.
>>
>> Hope this helps. May be if there is more information I can help better.
>>
>> Thanks.
>>
>> ________________________________
>> From: L0rd Ch0de1m0rt
>> Sent: ‎9/‎6/‎2013 7:34 PM
>> To: snort-sigs at lists.sourceforge.net
>> Subject: Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ
>> امارتيخ ̷̴̐خ
>>
>> Hello.  Whoops, I accidentily sent the last email early (still getting
>> used to the new GMAIL interface and hit the wrong key-board combination for
>> my new key-board layout).  Anyway, here is the string:
>>
>> سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ
>>
>>
>> Does anyone know why this happens and what other combination or
>> sub-strings can be used to exploit this? I ask so that we can make a SNORT
>> rule for it.  From my reading this is DoS and no RCE or BO that is known of.
>>
>> Thanks.
>>
>> Lord C.
>>
>>
>> On Fri, Sep 6, 2013 at 12:27 PM, L0rd Ch0de1m0rt
>> <l0rdch0de1m0rt at ...2420...> wrote:
>>
>> Hello.  I saw something recently that showed that this Arabic string can
>> DoS Webkit programs:
>>
>>
>
>
> ------------------------------------------------------------------------------
> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
> Discover the easy way to master current and previous Microsoft technologies
> and advance your career. Get an incredible 1,500+ hours of step-by-step
> tutorial videos with LearnDevNow. Subscribe today and save!
> http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
> _______________________________________________
> Snort-sigs mailing list
> Snort-sigs at lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/snort-sigs
> http://www.snort.org
>
>
> Please visit http://blog.snort.org for the latest news about Snort!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130906/b3c4edf4/attachment.html>


More information about the Snort-sigs mailing list