Cloudflare Verification Loop issues

[andyprough]

but it does mean the code is absolutely malicious because it's intentional!

If that's the case, then a lot more Pale Moon users may want to file Cybersecurity Incident Reports with CISA.gov as I did in my post above: viewtopic.php?p=259747#p259747

If it's malware, might as well treat it as such.

[back2themoon]

...a lot more Pale Moon users may want to file Cybersecurity Incident Reports with CISA.gov - If it's malware, might as well treat it as such.

Will do - thanks. Or is meant for US citizens only?

[andyprough]

...a lot more Pale Moon users may want to file Cybersecurity Incident Reports with CISA.gov - If it's malware, might as well treat it as such.

Will do - thanks. Or is meant for US citizens only?

It doesn't say so. It looks like the CISA collects information on malware from anyone in the world. Didn't really ask me much about myself, all I had to give was an email address, even giving your name is optional.

[sunstarunicorn]

but it does mean the code is absolutely malicious because it's intentional!

If that's the case, then a lot more Pale Moon users may want to file Cybersecurity Incident Reports with CISA.gov as I did in my post above: viewtopic.php?p=259747#p259747

If it's malware, might as well treat it as such.

I am totally onboard with reporting this malicious behavior, but shouldn't we be reporting challenges.cloudflare.com rather than community.cloudflare.com ?

If I understand all the nuances of what folks have found, the malware is embedded in the CloudFlare Human Verification widget. If that's the case, wouldn't it fall under the challenges.cloudflare.com URL rather than the site URL?

[Moonchild]

I just reported it as an incident impacting my business starting on Jan 31st when it was first reported. Their form was a bit limited in that it is primarily focused on "traditional" hacking, i.e. data breaches, DOS server attacks, etc., but I did my best to provide as much information as I could.
I hope it wasn't a waste of my time, and that it does something.

[andyprough]

shouldn't we be reporting challenges.cloudflare.com rather than community.cloudflare.com ?

If I understand all the nuances of what folks have found, the malware is embedded in the CloudFlare Human Verification widget. If that's the case, wouldn't it fall under the challenges.cloudflare.com URL rather than the site URL?

Sounds reasonable to me. I don't mind filing a second one.

[andyprough]

I hope it wasn't a waste of my time, and that it does something.

Probably won't do much, but it does feel appropriate to be officially calling it malware. Who knows, maybe a CISA office worker will fire off an email to their counterpart at Cloudflare requesting an explanation. That would be progress.

[Pelican]

Can someone please post a link to test the CF problem using the latest version of PM. One that doesn't a need a login.

[Gemmaugr]

Can someone please post a link to test the CF problem using the latest version of PM. One that doesn't a need a login.

https://steamdb.info/apps/

It tried loading, then hangs for a dozen seconds, then refreshed the RayID, then hangs again, permanently. At least that's how it went for me just now.

[__NM64__]

You don't even need the "apps" part of the URL; just https://steamdb.info works and is a much easier URL to remember than the "how the crap do you spell that" https://forums.nrvnqsr.com that I myself initially discovered this issue on.

Also, I'm not sure if newer versions of Linux Mint simply handle memory leak situations better, but on my existing Mint 20.3 installation on a system with 32GB of RAM, it basically causes my entire OS to crash. But testing on a fresh install Mint 22.1, it seems to only leak memory until the swap is invoked and then goes back down to just a few hundred megabytes regardless of if the system has 8GB or 24GB of RAM?

[jobbautista9]

After all, if it was a Pale Moon "bug" then mainstream should never hang, no matter if it failed their check in any way, whether UA based or otherwise.

I've tried Floorp (which is a soft fork of Firefox ESR 128 so it should be mainstream enough for CloudFlare) against Danbooru (https://safebooru.donmai.us/) with modified about:config settings, and I was able to fail the check without getting a hang in the tab (it just reloads back into the check).

To reproduce in a Firefox browser, disable HTTP/2 (network.http.http2.enabled) since connecting via HTTP/1.1 triggers the Turnstile check there, and change the UA (general.useragent.override) into something else, like Pale Moon's native UA. That should guarantee both the check and the failure.

[Pelican]

https://steamdb.info/apps/

This link crashes my custom browser (PM 33.7.0a1) and I don't have Pale Moon or Goanna in the user-agent, just Gecko/20100101 and Firefox/115.0 (just like Firefox). I see a message about "Checking if connection is secure..." and a tumbler, and then the browser freezes.

However when I use Firefox with user-agent of Gecko/20100101 Firefox/128.0 I don't get challenged at all.

The problem may not be brand related.

[__NM64__]

Has something changed again? When I was going about testing the handling of memory leaks between Linux Mint versions, I found that the cloudflare loop is no longer doing a memory leak and instead just causing Pale Moon to fully peg a single CPU thread.

(which, assuming you're using any CPU made in the last 15 years, should still leave you with at least a second CPU thread to be able to interact with your OS and kill the Pale Moon process if needed)

[dinosaur]

Has something changed again? When I was going about testing the handling of memory leaks between Linux Mint versions, I found that the cloudflare loop is no longer doing a memory leak and instead just causing Pale Moon to fully peg a single CPU thread.

The infinite recursion does not always happen.

On Thursday, I myself was testing a patch of mine (see attachment) which fixes another bug (a counter underflow which could cause the Javascript engine to loop billion of times), dealing with functions also appearing in the stack trace we got with the previous crash bug that I already fixed; at first, I thought I nailed the issue with this second bugfix (which is still interesting nonetheless, to avoid other kinds of out-of-memory crashes and/or freezing issues with bogus scripts).

Alas, this bug is not the one causing the OOM issue, and the latter is just not always happening...

[cannonmc]

I can't hope to match the techy skills of people posting possible solutions/workarounds but for the 20% of people still using Windows7 (me) the only two browsers I've found (apart from Chrome and Firefox) that pass the Cloudflare hurdle are

32-bit - Microsoft Edge
64-bit - Waterfox

PS Having looked at so many browsers in short order I now know why I want to use PM. It is a Web Browser. It doesn't try to make me speed dial, sign in for other stuff, check other pages on their sites. It Is a Web Browser

[Moonchild]

a counter underflow which could cause the Javascript engine to loop billion of times

Is this patch based on anything Mozilla has done, or is it your own?

[frostknight]

This link crashes my custom browser (PM 33.7.0a1) and I don't have Pale Moon or Goanna in the user-agent, just Gecko/20100101 and Firefox/115.0 (just like Firefox). I see a message about "Checking if connection is secure..." and a tumbler, and then the browser freezes.

33.6 works though I noticed.

Wonder why 33.7 has issues.

[dinosaur]

a counter underflow which could cause the Javascript engine to loop billion of times

Is this patch based on anything Mozilla has done, or is it your own?

It's my own. Simply scanned the code and spotted this bug.

[Moonchild]

It's my own. Simply scanned the code and spotted this bug.

Gotcha. I checked and the check makes sense although we should never get bogus Map data like that. But just-in-case I landed it.

[aliex]

That really isn't true. Anyone can write recursive javascript that will hang up any browser. Something as simple as calling an interval from within an interval callback will literally grind any browser to a halt. Without seeing the unobfuscated source of CF's challenge code (which is of course not available for inspection) there's no telling what is causing this, but the behaviour seems to be typical of a recursive function issue which is by definition a problem in the script.

Would it be possible to have some watchdog thread that, if is not getting message after predetermined interval, would interrupt JS thread? I mean, there is already some protection against "slow javascript", may be it is possible to extend it? If any random site can put browser into state where the only option is to kill it I think it is not good. By the way, I dug a bit trying to find examples in the web that would crash Chrome or make it hang - and could not.

P. S. A am a C++ developer, but never really looked into browser code. So I realize that what I am suggesting could be hard to implement - what with JIT and whatnot.