[Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ

Y M snort at ...3751...
Fri Sep 6 13:46:29 EDT 2013


Sorry for the noise. OSX 10.6.8 and Safari 5.1.6 also does not crash. I do not have access to a newer OSX at the moment, but soon I should. Attached is the pcap captured from the OSX 10.6.8.
Thanks.

To: jthoel at ...2420...; l0rdch0de1m0rt at ...2420...
From: snort at ...3751...
Date: Fri, 6 Sep 2013 20:30:58 +0300
CC: snort-sigs at lists.sourceforge.net
Subject: Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ







Working on a pcap capture right now. On an older mac, with Safari 5.0.6, nothing crashes on me, however I need to verify that I meet the vulnerability conditions. I will test on a newer mac.





From:
Jeremy Hoel

Sent:
‎9/‎6/‎2013 8:15 PM

To:
L0rd Ch0de1m0rt

Cc:
Y M;
snort-sigs at lists.sourceforge.net

Subject:
Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ





On the list of for ET rules, this is also listed as a reference -

http://zhovner.com/tmp/killwebkit.html



On Fri, Sep 6, 2013 at 5:02 PM, L0rd Ch0de1m0rt

<l0rdch0de1m0rt at ...2420...> wrote:

> Hello. Y M.  Thank you very much for the input.  Sorry for not including

> this link:

>

> 
http://arstechnica.com/apple/2013/08/rendering-bug-crashes-os-x-and-ios-apps-with-string-of-arabic-characters/

>

> It isn't a tool causing this, just a mis-handling by Webkit of this string.

> I am not fully understanding why (probably related more to how the Webkit

> handles the characters/bytes rather than what they actually represents).

>

> I'm not sure if and how the bytes need to be in a certain order.  For

> example:

>

> ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ

>

> ^^ will that cause an issue?

>

> or:

>

> سمَـَّوُوُح

>

> Or does it have to be the full thing:

>

>

> سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ

>

> Thanks.

>

> Lord C.

>

>

> On Fri, Sep 6, 2013 at 12:53 PM, Y M <snort at ...3751...> wrote:

>>

>> Can you provide more information on the DOS? What tool is generating this?

>> And against what? Any reference or pcap?

>>

>> The text is in Arabic, though its contains some malformed Arabic

>> characters. The top level characters are used to control pronunciation of

>> words. Again, some of them are malformed. And some of them are wrongly used;

>> if I am reading it write (see below).

>>

>> I am not sure if it is a coincidence, but the word

>> سمَّوُ

>> Means highness; but the top level character in the middle is mistakenly

>> used in the context of the word. The other word:

>> امارتي

>> Means Emirati; translated as an Emirate citizen. Although the word spelled

>> wrong based on the official written Arabic language - I have seen people

>> writing it this way.

>>

>> Some other letters are valid but their construction as a word does not

>> mean anything such و، ح، خ

>>

>> The rest are symbols not used/related to Arabic.

>>

>> Hope this helps. May be if there is more information I can help better.

>>

>> Thanks.

>>

>> ________________________________

>> From: L0rd Ch0de1m0rt

>> Sent: ‎9/‎6/‎2013 7:34 PM

>> To: snort-sigs at lists.sourceforge.net

>> Subject: Re: [Snort-sigs] Webkit DoS -- سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ

>> امارتيخ ̷̴̐خ

>>

>> Hello.  Whoops, I accidentily sent the last email early (still getting

>> used to the new GMAIL interface and hit the wrong key-board combination for

>> my new key-board layout).  Anyway, here is the string:

>>

>> سمَـَّوُوُحخ ̷̴̐خ ̷̴̐خ ̷̴̐خ امارتيخ ̷̴̐خ

>>

>>

>> Does anyone know why this happens and what other combination or

>> sub-strings can be used to exploit this? I ask so that we can make a SNORT

>> rule for it.  From my reading this is DoS and no RCE or BO that is known of.

>>

>> Thanks.

>>

>> Lord C.

>>

>>

>> On Fri, Sep 6, 2013 at 12:27 PM, L0rd Ch0de1m0rt

>> <l0rdch0de1m0rt at ...2420...> wrote:

>>

>> Hello.  I saw something recently that showed that this Arabic string can

>> DoS Webkit programs:

>>

>>

>

>

> ------------------------------------------------------------------------------

> Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!

> Discover the easy way to master current and previous Microsoft technologies

> and advance your career. Get an incredible 1,500+ hours of step-by-step

> tutorial videos with LearnDevNow. Subscribe today and save!

> 
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk

> _______________________________________________

> Snort-sigs mailing list

> Snort-sigs at lists.sourceforge.net

> https://lists.sourceforge.net/lists/listinfo/snort-sigs

> http://www.snort.org

>

>

> Please visit http://blog.snort.org for the latest news about Snort!






------------------------------------------------------------------------------
Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more!
Discover the easy way to master current and previous Microsoft technologies
and advance your career. Get an incredible 1,500+ hours of step-by-step
tutorial videos with LearnDevNow. Subscribe today and save!
http://pubads.g.doubleclick.net/gampad/clk?id=58041391&iu=/4140/ostg.clktrk
_______________________________________________
Snort-sigs mailing list
Snort-sigs at lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/snort-sigs
http://www.snort.org


Please visit http://blog.snort.org for the latest news about Snort! 		 	   		  
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130906/74bc9e0d/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: bug.pcap
Type: application/octet-stream
Size: 12552 bytes
Desc: not available
URL: <https://lists.snort.org/pipermail/snort-sigs/attachments/20130906/74bc9e0d/attachment.obj>


More information about the Snort-sigs mailing list