From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 15 Mar 2005 16:13:00 +0200
Subject: [NEWS] Buffer Overflow in Mozilla Browser Firefox (Heap Corruption)
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20050315154427.A39CA5820@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Buffer Overflow in Mozilla Browser Firefox (Heap Corruption)
------------------------------------------------------------------------
SUMMARY
Remote exploitation of a design error allows an attacker to cause heap
corruption in the Mozilla browser as well as in Mozilla Firefox, resulting
in execution of arbitrary code.
DETAILS
Vulnerable Systems:
* Mozilla Suite version 1.7.3
* Thunderbird version 1.0
* Mozilla Firefox version 1.0
Immune Systems:
* Mozilla Suite version 1.7.6
* Thunderbird version 1.0.1
* Mozilla Firefox version 1.0.1
The vulnerability specifically exists in string handling functions, such
as nsCSubstring::Append, which rely on functions in the file
mozilla/xpcom/string/src/nsTSubstring.cpp. Certain functions, such as
nsTSubstring_CharT::Replace() fail to check the return value of functions
which resize the string.
xpcom/string/src/nsTSubstring.cpp:
1. size_type length = tuple.Length();
cutStart = PR_MIN(cutStart, Length());
2. ReplacePrep(cutStart, cutLength, length);
3. if (length > 0)
tuple.WriteTo(mData + cutStart, length);
At [1], length is set to the length of the string to be copied, which is
the passed to ReplacePrep() at [2]. If the reallocation performed by this
function fails sets mData to a fixed address.
mData = NS_CONST_CAST(char_type*, char_traits::sEmptyBuffer);
mLength = 0;
The value of sEmptyBuffer is set in xpcom/string/src/nsSubstring.cpp:
static const PRUnichar gNullChar = 0;
const char* nsCharTraits<char> ::sEmptyBuffer = (const char*) &gNullChar;
As the return value is not checked, if the function fails mData is
pointing at a known memory location. By causing memory to be consumed
until an out of memory condition occurs, and controlling the value of the
string to append, it is possible at [3] to cause arbitrary data to be
placed in a known location, allowing execution of arbitrary code.
This vulnerability would rely on both knowing the version of the browser,
which could be obtained from the User-Agent string passed to a malicious
server, and being able to cause memory exhaustion. It may be possible to
cause memory exhaustion remotely by either sending a large amount of data
to the client in the headers, which would require a large amount of
bandwidth or by using compression to reduce the amount of data that needs
to be sent to the client, either via a server module like the Apache HTTPd
mod_deflate, or a file such as a ZIP file referenced by a jar: URI. It
also may be possible to use a JavaScript to allocate enough memory to
trigger this vulnerability.
As this vulnerability is triggered in an out of memory condition, it may
be easier to exploit on systems which have restricted the amount of memory
a user or process may use.
Vendor Status:
The vendor has confirmed the bug:
<http://www.mozilla.org/security/announce/mfsa2005-18.html>;
http://www.mozilla.org/security/announce/mfsa2005-18.html
The problem had been fixed with new versions of Mozilla's products.
Disclosure Timeline:
02/09/2005 - Initial vendor notification
02/09/2005 - Initial vendor response
02/28/2005 - Coordinated public disclosure
ADDITIONAL INFORMATION
The information has been provided by <mailto:labs-no-reply@idefense.com.>
iDEFENSE Labs.
The original article can be found at:
<http://www.idefense.com/application/poi/display?id=200&type=vulnerabilities&flashstatus=true>; http://www.idefense.com/application/poi/display?id=200&type=vulnerabilities&flashstatus=true
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
