Remote DoS in Mozilla 1.0 / X Window System

Tom Vogt <tom-at-lemuria-dot-org>

Mozilla 1.0 and earlier / X Window System (multiple versions)
verified on Linux and Solaris, other Unixes most likely affected as well.

System becomes unuseable or X crashes 
(varies depending on system configuration)

When loading pages with a specially prepared (or erroneous) stylesheet,
mozilla and the X Window System (not restricted to XFree) exhibit any of 
two undesireable behaviours. This seems to depend on the local system 
configuration, especially to the presence of xfs, but bug reports so far
are inconclusive.
In one scenario, X simply crashes, taking everything with it. This will result
in the loss of unsaved work.
In scenario two, memory useage of the X server explodes until the machine
reaches the thrashing point, at which point only a hard kill (-9) of the
X server can save it, provided there are enough system resources left to
issue the kill.

Some systems see no crash, but random misbehaviour of X components that often
require a shutdown of the X server to fix. See the follow ups in bugzilla
for a full description of these various behaviours.

The bug is triggered by a huge font setting done through CSS. Depending on
the end user's system configuration, this will either trigger an abort in
the XFree86 code ("Beziers this large not supported") or cause an
explosive use of memory. It is unknown how much memory could get consumed,
but follow-ups to the mozilla bug verify that machines with 1 GB of
memory still reach the thrashing point.

Include a huge font size in your style sheet definition, e.g.:
body { font-size: 1666666px; }

Further Considerations
This attack is especially effective if XFS is running. One bugtraq poster
verified that a remote (department-wide) XFS server was killed by a single
user opening the example page above.

Vendor Contact
filed as mozilla bug #150339
Mozilla team scrambled immediately.

also filed with the XFree86 team.

A patch has been added to the mozilla CVS trunk on 12/06/2002. The XFree86
team is discussing a solution and will probably add a patch soon. The author
is not aware of patches being worked on for other X servers.

A workaround would be turning off stylesheets. Mozilla does not have an
option for doing so in the preferences dialog, so this must be done either
in the preferences file manually, or by editing the source code. I have not
reviewed this option further.
Unchecking the "allow documents to use other fonts" button in preferences
does NOT provide a workaround.

Author Statement
Aside from the fact that I don't believe in "responsible disclosure", this
is already public knowledge through bugzilla.
Kudos to the mozilla team for prompt and competent reactions.

There was some discussion about whether this is a mozilla or X bug. It was
originally classified as a mozilla bug by me, which is not entirely correct.
However, mozilla is what makes this X problem remotely exploitable, which
is why I have only ammended, not corrected this classification.

Last Update