Saturday, August 10, 2019

Application Level Denial of Service [DoS] using SVG file in https://[REDACTED].com (Write Up)

A year ago I participated on this private program on Bugcrowd and found some good quality vulnerabilities which earns me a good amount of bounty and one of my favorite vulnerability was this Application Level DoS (Denial of Service) using a malicious SVG file. This is my first time reporting this kind of issue that time though I reported some SVG file related vulnerabilities but this one is new to me since it was a Denial of Service using the SVG and it makes me feel more excited about it before.

So after my first report was rewarded by them which is a Stored XSS using SVG file, I continued digging down on the same area and luckily found this issue. What really makes this as one of my favorite vulnerability that I found is because I learned something new from the Triaged person who handle this report. I learned something new from him because of this report.

So long story short, here's the report timeline and proof of concept.

--Proof of Concept--

1. Go to https://<REDATED> then login
2. Go to https://<REDATED>/<username>/primary-brand
3. Click the Edit button or turn ON the Edit button in the upper left conrner of the page
4. In the Images section upload the attach SVG file.
5. Open the upload SVG file and see the result.

I have attached a GIF file for the whole demonstration of the bug, I hope you understand.

Live Demo of my test: https://user-images.<REDATED>/<userid>/primary-brand/<filename>.svg

Tested in Firefox which results into browser crash and Google Chrome which also results into browser crash.


Report Title: DoS using SVG file in https://<REDACTED>
Reported: 17, February 2018 16:52:37 UTC
Update (Triaged Staff): 21 Feb 2018 17:24:32 UTC

Hello evanricafort,
The crashing of your browser must have been because of out of memory bounds. Can you try to use Windbg to check why it crashed? It allows me to check if there is a break instruction exception. This is not reproducible in my Chrome, Safari, and Firefox in Mac thus I would like to check the output from Windbg to check if this is indeed a vulnerability.
My Update Response: 21 Feb 2018 18:04:50 UTC

not really familiar with windbg but I tried it with my firefox browser and this is what I got
Microsoft (R) Windows Debugger Version 10.0.16299.91 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach
Symbol search path is: srv*
Executable search path is:
ModLoad: 00007ff66ca80000 00007ff66caf7000 C:\Program Files\Mozilla Firefox\firefox.exe
ModLoad: 00007ff9bb8b0000 00007ff9bba71000 C:\Windows\SYSTEM32\ntdll.dll
ModLoad: 00007ff9bb070000 00007ff9bb11d000 C:\Windows\system32\KERNEL32.DLL
ModLoad: 00007ff9b89c0000 00007ff9b8ba8000 C:\Windows\system32\KERNELBASE.dll
ModLoad: 00007ff9b97b0000 00007ff9b9857000 C:\Windows\system32\ADVAPI32.dll
ModLoad: 00007ff9b9280000 00007ff9b931d000 C:\Windows\system32\msvcrt.dll
ModLoad: 00007ff9ac2e0000 00007ff9ac305000 C:\Program Files\Mozilla Firefox\mozglue.dll
ModLoad: 00007ff9bb310000 00007ff9bb36b000 C:\Windows\system32\sechost.dll
ModLoad: 00007ff9b8cb0000 00007ff9b8dcd000 C:\Windows\system32\RPCRT4.dll
ModLoad: 00007ff9b4610000 00007ff9b461a000 C:\Windows\SYSTEM32\VERSION.dll
ModLoad: 00007ff9aa550000 00007ff9aa5ee000 C:\Program Files\Mozilla Firefox\MSVCP140.dll
ModLoad: 00007ff9ac400000 00007ff9ac417000 C:\Program Files\Mozilla Firefox\VCRUNTIME140.dll
ModLoad: 00007ff9b7170000 00007ff9b7264000 C:\Windows\SYSTEM32\ucrtbase.dll
ModLoad: 00007ff9b79d0000 00007ff9b79db000 C:\Windows\SYSTEM32\CRYPTBASE.DLL
ModLoad: 00007ff9b8890000 00007ff9b88fa000 C:\Windows\system32\bcryptPrimitives.dll
ModLoad: 000001b246430000 000001b246434000 C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll
ModLoad: 000001b246440000 000001b246444000 C:\Program Files\Mozilla Firefox\api-ms-win-crt-string-l1-1-0.dll
ModLoad: 000001b246450000 000001b246453000 C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll
ModLoad: 000001b246460000 000001b246464000 C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll
ModLoad: 000001b246470000 000001b246474000 C:\Program Files\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll
ModLoad: 000001b246480000 000001b246483000 C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll
ModLoad: 000001b246490000 000001b246495000 C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll
ModLoad: 000001b2464a0000 000001b2464a5000 C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll
ModLoad: 000001b2464c0000 000001b2464c3000 C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll
ModLoad: 000001b2464d0000 000001b2464d3000 C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll


ModLoad: 00007ff9b0400000 00007ff9b0674000 C:\Windows\WinSxS\\comctl32.dll
(2a84.2b90): Break instruction exception - code 80000003 (first chance)
00007ff9`bb958860 cc int 3
 Follow-up Update (Triaged Staff): 23 Feb 2018 16:16:43 UTC

Hello Evan,

Based on the breakpoint, it did crash from your end:

ModLoad: 00007ff9b0400000 00007ff9b0674000 C:\Windows\WinSxS\\comctl32.dll
(2a84.2b90): Break instruction exception - code 80000003 (first chance)
00007ff9`bb958860 cc int 3

Windbg allows us to check if there is a DoS or if it has overwritten the EIP / instruction pointer, etc. In this case, it tells us that a crash has actually occurred. Since this is reproducible from your end and not for all users, I am marking this issue as P3.

Closed: 06 Jul 2018 20:28:52 UTC (Won't fix)
Thank you for your help in making <REDACTED> safer. The application will be sunset very soon and development has ceased. Therefore we are closing the reported issue as WON'T FIX.
Reward: $300 + 10 Kudos points

So I hope you enjoy this write up and have a great day everyone!

"Opportunities don't happen. You create them."
― Chris Grosser