[tor-bugs] #9901 [Tor bundles/installation]: DoS of TBB 2.4/3.0 when no Content-Type header and more than 512 bytes of content are sent
Tor Bug Tracker & Wiki
blackhole at torproject.org
Sat Oct 5 07:53:29 UTC 2013
#9901: DoS of TBB 2.4/3.0 when no Content-Type header and more than 512 bytes of
content are sent
--------------------------------------+-----------------------
Reporter: sqrt2 | Owner: erinn
Type: defect | Status: new
Priority: normal | Milestone:
Component: Tor bundles/installation | Version:
Keywords: tbb dos content-type | Actual Points:
Parent ID: | Points:
--------------------------------------+-----------------------
Following a user question in #tor where the user couldn't open the URL
<http://cdimage.debian.org/debian-cd/7.1.0/i386/iso-dvd/MD5SUMS> in TBB, I
decided to investigate the problem by simulating a webserver with netcat.
(The file loads fine in non-TBB Firefox; the problem exists in both TBB
beta and alpha, presumably also in stable.) Here are my findings:
* The above resource is delivered without a Content-Type header by
cdimage.debian.org.
* Upon retrieving the resource, Firefox displays a blank page and starts
consuming 100% CPU (only one core on SMP systems) periodically, backing
down for a few seconds every now and then.
* When adding a Content-Type header to the server response, Firefox shows
the file in the browser (text/plain) or displays the content type warning
dialog (other content type), as expected.
* One can remove all headers (not including of course "HTTP/1.0 200 OK")
and the problem will still occur.
* The problem stops occurring once 512 bytes or less of content (without
headers and \n\n) are sent. The content will then be displayed as a text
file in Firefox.
* There is no significant change on the wire between the two cases -- the
reply consists of two TCP packets broken up at the same point.
In a nutshell, service can be denied by crafting a special server response
to an ordinary HTTP request. However, because Firefox only consumes 1 core
and occasionally backs down shortly, the user will likely be able to
recover from the situation by closing the problematic tab.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9901>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list