RE: [Full-disclosure] Mozilla Firefox "Host:" Buffer Overflow
From: Larry Seltzer (larry_at_larryseltzer.com)
Date: 09/09/05
- Previous message: Martin Pitt: "[Full-disclosure] [USN-178-1] Linux kernel vulnerabilities"
- In reply to: Tom Ferris: "[Full-disclosure] Mozilla Firefox "Host:" Buffer Overflow"
- Next in thread: Dave Aitel: "Re: [Full-disclosure] Mozilla Firefox "Host:" Buffer Overflow"
- Reply: Dave Aitel: "Re: [Full-disclosure] Mozilla Firefox "Host:" Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'Tom Ferris'" <tommy@security-protocols.com>, <full-disclosure@lists.grok.org.uk> Date: Fri, 9 Sep 2005 07:12:04 -0400
Two interesting points:
1) It took several minutes and more browsing elsewhere (in Bugzilla) before
my browser blew up after testing the POC.
2) When you reported a "Windows XP SP2 IE 6.0 Vulnerability"
(http://security-protocols.com/modules.php?name=News&file=article&sid=2891)
and a "Windows XP SP2 Remote Kernel DoS"
(http://security-protocols.com/modules.php?name=News&file=article&sid=2783)
you left the details of the bug and the POC out. Personally, I generally
approve of that, but why don't Mozilla users deserve as much consideration?
Larry Seltzer
eWEEK.com Security Center Editor
http://security.eweek.com/
http://blog.ziffdavis.com/seltzer
Contributing Editor, PC Magazine
larryseltzer@ziffdavis.com
-----Original Message-----
From: full-disclosure-bounces@lists.grok.org.uk
[mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf Of Tom Ferris
Sent: Friday, September 09, 2005 2:10 AM
To: full-disclosure@lists.grok.org.uk
Subject: [Full-disclosure] Mozilla Firefox "Host:" Buffer Overflow
Mozilla Firefox "Host:" Buffer Overflow
Release Date:
September 8, 2005
Date Reported:
September 4, 2005
Severity:
Critical
Vendor:
Mozilla
Versions Affected:
Firefox Win32 1.0.6 and prior
Firefox Linux 1.0.6 and prior
Firefox 1.5 Beta 1 (Deer Park Alpha 2)
Overview:
A buffer overflow vulnerability exists within Firefox version 1.0.6 and all
other prior versions which allows for an attacker to remotely execute
arbitrary code on an affected host.
Technical Details:
The problem seems to be when a hostname which has all dashes causes the
NormalizeIDN call in nsStandardURL::BuildNormalizedSpec to return true, but
is sets encHost to an empty string. Meaning, Firefox appends 0 to approxLen
and then appends the long string of dashes to the buffer instead. The
following HTML code below will reproduce this issue:
<A HREF=https:--------------------------------------------- >
Simple, huh? ;-]
Vendor Status:
Mozilla was notified, and im guessing they are working on a patch. Who knows
though?
Discovered by:
Tom Ferris
Related Links:
www.security-protocols.com/firefox-death.html
www.security-protocols.com/advisory/sp-x17-advisory.txt
www.security-protocols.com/modules.php?name=News&file=article&sid=2910
Greetings:
chico, modify, ac1djazz, dmuz, aempirei, Daniel Sergile, tupac shakur, and
the rest of the angrypacket krew.
Copyright (c) 2005 Security-Protocols.com
Thanks,
Tom Ferris
Researcher
www.security-protocols.com
Key fingerprint = 0DFA 6275 BA05 0380 DD91 34AD C909 A338 D1AF 5D78
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Previous message: Martin Pitt: "[Full-disclosure] [USN-178-1] Linux kernel vulnerabilities"
- In reply to: Tom Ferris: "[Full-disclosure] Mozilla Firefox "Host:" Buffer Overflow"
- Next in thread: Dave Aitel: "Re: [Full-disclosure] Mozilla Firefox "Host:" Buffer Overflow"
- Reply: Dave Aitel: "Re: [Full-disclosure] Mozilla Firefox "Host:" Buffer Overflow"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
