Connect with us

Hi, what are you looking for?

Technology

Rapid window title changes cause ‘white screen of death’


ice

Experimentation with ANSI escape characters on terminal emulators has led to the discovery of multiple high-severity DoS (denial of service) vulnerabilities on Windows terminals and Chrome-based web browsers.

Eviatar Gerzi, a security researcher at CyberArk, has tried out various potential abuse pathways based on an old 2003 advisory on code execution via window title modifications and discovered a way to induce rapid window title changes on PuTTY.

This atypical attack caused the test machine to enter a state known as the “White Screen of Death”, where everything freezes except for the mouse cursor.

Upon testing a similar attack on a local application, the system entered WSOD immediately due to overburdening the OS kernel with calls.

Calls overwhelming the system kernel
Calls overwhelming the system kernel
Source: CyberArk

The abused function is ‘SetWindowText,’ which allows changing the text of the specified window’s title bar.

The only way out of the WSOD state is to restart the computer, so this simple trick can lead to a DoS state on a range of applications.

SetWindowText function in PuTTY
SetWindowText function in PuTTY
Source: CyberArk

As the researcher points out, ‘SetWindowText’ isn’t the only possible leverage for hung ups, as discovered in the case of MobaXterm.

In one of the cases, I tested the MobaXterm terminal, and I was surprised that it didn’t use SetWindowText function to change the window title but, rather, a function named GdipDrawString.

The interesting thing in this case is that it didn’t affect the whole computer like SetWindowText. It affected only the application, which eventually crashed.

Gerzi confirmed the following Windows terminals are affected by DoS issue:

Advertisement. Scroll to continue reading.
  • PuTTYCVE-2021-33500 (freezes whole computer), fixed in version 0.75
  • MobaXtermCVE-2021-28847 (freezes only app), fixed in version 21.0 preview 3
  • MinTTY (and Cygwin) – CVE-2021-28848 (freezes whole computer), fixed in version 3.4.6
  • Git – uses MinTTY, fixed in version 2.30.1
  • ZOCCVE-2021-32198 (freezes only app), no fix
  • XSHELLCVE-2021-42095 (freezes whole computer), fixed in version 7.0.0.76

Trying it out on web browsers

Realizing that almost all GUI applications use the SetWindowText function, the researcher tried out the attack against popular web browsers such as Chrome.

He created an HTML file that would cause the title to change rapidly in an infinite loop, forcing the browser to freeze.

The same behavior was noticed in Edge, Torch, Maxthon, Opera, and Vivaldi, all Chromium-based browsers. Though Firefox and Internet Explorer are immune to it, they still take a performance hit.

Monitoring function calls on Edge
Monitoring function calls on Edge
Source: CyberArk

In all cases though, the underlying OS remains unaffected because modern browsers are based on sandboxes.

However, when trying the browser attack inside a virtual machine, a resource depletion issue occurred causing the virtualized system to display a ‘Blue Screen of Death.’

BSOD when testing DoS on a virtual machine
BSOD when testing DoS on a virtual machine
Source: CyberArk

Response from vendors

The researcher notes that the applications affected by this attack could be anything using either SetWindowText or GdipDrawString, so the above apps are only a sample of the affected software.

Some applications like Slack, for example, feature a rate limiter on the calls of the functions, so they’re resilient to this kind of DoS attacks.

Slack's limiter stopping the attack after just three calls
Slack’s limiter stopping the attack after just three calls
Source: CyberArk

Gerzi contacted the affected vendors and received the following responses:

Google: DoS issues are treated as abuse or stability issues rather than security vulnerabilities. Note: Issue is not observed on Mac but is observed on Linux. We have reviewed the issue again. We were not able to reproduce the crash in the latest versions of WS 16.1.2 build-17966106 and Chrome 92.0.4515.131. We view that the behavior you observed might be depended on chrome version used as we didn’t see any BSOD issues on our end. Hence, we consider this as not a bug.

Vivaldi: This is a design limitation of Windows 10; it does not limit application memory usage, and simply uses pagefile (virtual memory) when it runs out of RAM. This is slower to respond because it must be read from disk.

Microsoft: Our team was able to reproduce this issue, but it does not meet our bar for servicing with an immediate security update. While this results in a denial of service condition, this can only be triggered locally and is the result of resource exhaustion. An attacker would not be able to trigger any additional vulnerable conditions or retrieve information that would be beneficial in other attacks on the system. We will be closing this case, but we have opened a bug with our development team, and they may consider addressing this in a future release of Windows.

In response to the above, the researcher points out that it is possible to trigger the attack remotely by creating a malicious file on a remote server and opening it from a vulnerable terminal.



Source link

Advertisement. Scroll to continue reading.
Click to comment

Leave a Reply

Advertisement

Latest

Technology

Experimentation with ANSI escape characters on terminal emulators has led to the discovery of multiple high-severity DoS (denial of service) vulnerabilities on Windows terminals...

Technology

Hackers targeted cybersecurity researchers and developers this week in a sophisticated malware campaign distributing a malicious version of the dnSpy .NET application to install...

Technology

Source: DJI Best phone gimbals iMore 2022 Moving even a little while shooting video with your phone leads to shaky, unusable footage that no...

Technology

In letter: PayPal is looking into the possibility of launching its own stablecoin, a type of cryptocurrency that is financially backed by another asset,...

Top Stories

Bitcoin (BTC) delivered fresh volatility on Jan. 6 as rangebound behavior saw its first shake-up in weeks. BTC/USD 1-hour candle chart (Bitstamp). Source: TradingView...

Technology

Source: iMore If you’ve been playing Animal Crossing for a while, you might have come across a little beaver named C.J. This guy is...

Technology

Source: Rebecca Spear / iMore Welcome to the first Nintendo recap of 2022! It crazy to think that we’re already so far into the...

Top Stories

Bitcoin (BTC) formed a trading pattern on Jan. 8 that is widely watched by traditional chartists for its ability to anticipate further losses. In...

Advertisement

You May Also Like

SEO Guide

There are all kinds of pictures of the world on the internet, but to find one of these specific pictures that you want to...

SEO Guide

How to index website on Google? Do you want to drive more organic traffic to your new website? I am sure your answer is...

Blogging

In this post, I will discuss the top ten profitable blogging niches ideas for Adsense approval and high traffic. whether you use Blogger or...

SEO Guide

Want to rank in Google image search? Images that you use as a featured images when writing a post actually appear on Google Images...

Advertisement