Is this a buffer overflow exploit?
October 15, 2010 9:28 AM   Subscribe

Is this an attempt at a buffer overflow exploit, or just some sort of mistake?

Take a look at the link to "competition policy" near the bottom of this page (but don't click it). It consists of 65535 characters (mostly %5C, the code for backslash, repeated tens of thousands of times) followed by a bunch of garbage characters that confuse Notepad++.

Before I noticed the weirdness, I clicked this link in the most recent and updated version of firefox on windows 7. After a delay of several seconds I got a server error message (URL too long). Should I be concerned, or is firefox not vulnerable to URL buffer overflows?

I just noticed that I get served a slightly different link when I try this in Chrome, which makes me think that it is some sort of exploit and it's targeting different browsers.

I'll also notify the keepers of that web page.
posted by moonmilk to Computers & Internet (14 answers total) 1 user marked this as a favorite
 
Response by poster: Actually, looking again, it appears to be about half a million characters, and the reason it looked funny in Notepad++ after 65535 is that Notepad++ can't handle such a long line. So now i'm thinking it could be just an innocent mistake, though it's weird that it was different on Chrome.
posted by moonmilk at 9:42 AM on October 15, 2010


Crashed my browser, whatever it is. I'll be it's a sploit
posted by Blake at 9:42 AM on October 15, 2010


I think the difference you see is in browser interpretation of the url. I know there was an exploit in FF but that was back in 2005, version 1.x. I think it's just an error in the link. Someone had the key get stuck when put in the "/".
posted by white_devil at 9:46 AM on October 15, 2010


Best answer: Someone had the key get stuck when put in the "/".

For over 500,000 backslashes?

Anyway, I don't think it's an exploit, other than perhaps to crash some browsers. The URL is almost completely uniform; there's nothing in there that could be the functional part.

Clicking it on Firefox for Mac just leads to a 414 Request-URI Too Large error on the Apache server.

By the way, the link is much, much too long for IE. It has a much shorter URL length limit than most other browsers.
posted by jedicus at 9:49 AM on October 15, 2010


Best answer: I don't see how this can be a buffer overflow, there's no payload to execute. Most likely its just a mistake from generated code or some other odd edge case.
posted by damn dirty ape at 9:58 AM on October 15, 2010


Response by poster: Thanks! I got paranoid and started running every malware scanner I've got, but it was probably about time for a scan anyway. With no payload it makes sense that this couldn't be anything but a mistake.

(Is there any scanner I shouldn't be without? I'm using windows defender and malware bytes.)
posted by moonmilk at 10:05 AM on October 15, 2010


Defender? Do you mean Microsoft Security Essentials? That's the defender replacement that does everything. Defender just does spyware, not viruses.
posted by damn dirty ape at 10:06 AM on October 15, 2010


Clicking it on Firefox for Mac just leads to a 414 Request-URI Too Large error on the Apache server.

Same for Firefox on Win7.
posted by damn dirty ape at 10:15 AM on October 15, 2010


I recently worked with a client whose website had been malware-ificated, most likely through an FTP injection attack.

In an FTP injection attack, malware infects your computer, and steals your FTP password. It sends that password to a network of infected hosts, which then edit your HTML or PHP pages to include a sneaky little evil bit at the bottom.

Many of these attacks result in a bit of code at the bottom which either creates an iframe on the page, or causes a file to be downloaded to the web visitor's computer. Often, this code is obfuscated similar to what you mention.

I copied the link you posted and DID NOT CLICK ON IT. (I spent all day yesterday de-malware-ing my computer; no interest in losing another day's work so soon.)

I pasted it into the Web Page Security scanner at Unmask Parasites.

According to the report, that page has not yet been flagged by Google. It links to domains which seem safe. My guess is that either the attack or the obfuscation failed, or that it's obfuscating a bunch of spam links.

In addition to notifying the owners, I would recommend doing a hardcore malware sweep on your computer. Anti Malwarebytes found a couple of things on mine, but only after the "this takes several hours so you might as well go run errands" scan.
posted by ErikaB at 12:06 PM on October 15, 2010


The offending link has been fixed. It now properly leads to the competition policy page.
posted by jedicus at 12:11 PM on October 15, 2010


I don't see how this could remotely be an FTP attack. Its a plain jane URL, with no javascript or anything odd, except http:// is http://///////////////// going on for thousands of characters with no payload.
posted by damn dirty ape at 12:32 PM on October 15, 2010


Earlier versions of... one popular browser dealt with this "typo" by recursively removing one slash at a time, definitely hanging the program. Not an exploit.
posted by tintexas at 12:53 PM on October 15, 2010


Maybe some kind of automated process is to blame, as in, someone wrote a script to fix broken links by replacing http:/ with http:// and didn't think it through.
posted by AmbroseChapel at 3:05 PM on October 15, 2010


Response by poster: Thanks again - I wrote to someone at the site and they fixed it up; I agree with many of you above that it couldn't be an exploit - at least not a successful one - because there's nothing in there but slashes.
posted by moonmilk at 7:44 PM on October 15, 2010


« Older Best front ends for SQL databases?   |   Recommend an airsoft gun please Newer »
This thread is closed to new comments.


Tags

Share