[NEWS] Netscape/Mozilla SOAPParameter Constructor Integer Overflow Vulnerability

From: SecuriTeam (support_at_securiteam.com)
Date: 08/04/04

  • Next message: SecuriTeam: "[NEWS] USRobotics USR808054 Wireless Access Point Denial Of Service And Possible Code Execution Vulnerabilities" 
    To: list@securiteam.com
Date: 4 Aug 2004 00:58:37 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Netscape/Mozilla SOAPParameter Constructor Integer Overflow Vulnerability
    ------------------------------------------------------------------------

    SUMMARY

    SOAP is an XML-based messaging protocol which defines a set of rules for
    structuring messages, and can be used for web based applications.

    Improper input validation to the SOAPParameter object constructor in
    Netscape and Mozilla allows execution of arbitrary code.

    DETAILS

    Vulnerable Systems:
     * Netscape versions 7.0, 7.1
     * Mozilla version 1.6

    Immune Systems:
     * Mozilla version 1.7.1

    CVE Information:
     <http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0722>
    CAN-2004-0722

    The SOAPParameter object's constructor contains an integer overflow which
    allows controllable heap corruption. A web page can be constructed to
    leverage this into remote execution of arbitrary code. Upon successful
    exploitation, a remote attacker is able to execute arbitrary code in the
    context of the user running the browser.

    Workaround
    One possibility is to disable Javascript in the browser. However, the
    effects of such an action are that many sites will not work properly since
    Javascript is a major part of many websites currently.

    Another alternative would be to upgrade to the latest version of the
    Mozilla browser (1.7.1) which is not vulnerable to this integer overflow.

    Disclosure Timeline
    01/17/2004 Exploit acquired by iDEFENSE.
    03/05/2004 Bug sent to Netscape Security Bug form at
    <http://cgi.netscape.com/cgi-bin/bug-security.cgi>
    http://cgi.netscape.com/cgi-bin/bug-security.cgi
    03/05/2004 Bug entered into bugzilla.mozilla.org at
    <http://bugzilla.mozilla.org/show_bug.cgi?id=236618>
    http://bugzilla.mozilla.org/show_bug.cgi?id=236618
    03/05/2004 iDEFENSE clients notified
    07/09/2004 Patch submitted into Mozilla source tree. It can be found at
    <http://bugzilla.mozilla.org/show_bug.cgi?id=236618#c22>
    http://bugzilla.mozilla.org/show_bug.cgi?id=236618#c22
    08/02/2004 Public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:idlabs-advisories@idefense.com> iDEFENSE Security Labs.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[NEWS] USRobotics USR808054 Wireless Access Point Denial Of Service And Possible Code Execution Vulnerabilities"

    Relevant Pages