[NEWS] Buffer Overflow in Mozilla Browser Firefox (Heap Corruption)

From: SecuriTeam (support_at_securiteam.com)
Date: 03/15/05

  • Next message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in cURL/libcURL (Kerberos Authentication, NTLM Authentication)" 
    To: list@securiteam.com
Date: 15 Mar 2005 16:13:00 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Buffer Overflow in Mozilla Browser Firefox (Heap Corruption)
    ------------------------------------------------------------------------

    SUMMARY

    Remote exploitation of a design error allows an attacker to cause heap
    corruption in the Mozilla browser as well as in Mozilla Firefox, resulting
    in execution of arbitrary code.

    DETAILS

    Vulnerable Systems:
     * Mozilla Suite version 1.7.3
     * Thunderbird version 1.0
     * Mozilla Firefox version 1.0

    Immune Systems:
     * Mozilla Suite version 1.7.6
     * Thunderbird version 1.0.1
     * Mozilla Firefox version 1.0.1

    The vulnerability specifically exists in string handling functions, such
    as nsCSubstring::Append, which rely on functions in the file
    mozilla/xpcom/string/src/nsTSubstring.cpp. Certain functions, such as
    nsTSubstring_CharT::Replace() fail to check the return value of functions
    which resize the string.

    xpcom/string/src/nsTSubstring.cpp:
    1. size_type length = tuple.Length();
     cutStart = PR_MIN(cutStart, Length());

    2. ReplacePrep(cutStart, cutLength, length);

    3. if (length > 0)
     tuple.WriteTo(mData + cutStart, length);

    At [1], length is set to the length of the string to be copied, which is
    the passed to ReplacePrep() at [2]. If the reallocation performed by this
    function fails sets mData to a fixed address.
    mData = NS_CONST_CAST(char_type*, char_traits::sEmptyBuffer);
    mLength = 0;

    The value of sEmptyBuffer is set in xpcom/string/src/nsSubstring.cpp:
    static const PRUnichar gNullChar = 0;
    const char* nsCharTraits<char> ::sEmptyBuffer = (const char*) &gNullChar;

    As the return value is not checked, if the function fails mData is
    pointing at a known memory location. By causing memory to be consumed
    until an out of memory condition occurs, and controlling the value of the
    string to append, it is possible at [3] to cause arbitrary data to be
    placed in a known location, allowing execution of arbitrary code.

    This vulnerability would rely on both knowing the version of the browser,
    which could be obtained from the User-Agent string passed to a malicious
    server, and being able to cause memory exhaustion. It may be possible to
    cause memory exhaustion remotely by either sending a large amount of data
    to the client in the headers, which would require a large amount of
    bandwidth or by using compression to reduce the amount of data that needs
    to be sent to the client, either via a server module like the Apache HTTPd
    mod_deflate, or a file such as a ZIP file referenced by a jar: URI. It
    also may be possible to use a JavaScript to allocate enough memory to
    trigger this vulnerability.

    As this vulnerability is triggered in an out of memory condition, it may
    be easier to exploit on systems which have restricted the amount of memory
    a user or process may use.

    Vendor Status:
    The vendor has confirmed the bug:
    <http://www.mozilla.org/security/announce/mfsa2005-18.html>
    http://www.mozilla.org/security/announce/mfsa2005-18.html
    The problem had been fixed with new versions of Mozilla's products.

    Disclosure Timeline:
    02/09/2005 - Initial vendor notification
    02/09/2005 - Initial vendor response
    02/28/2005 - Coordinated public disclosure

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:labs-no-reply@idefense.com>
    iDEFENSE Labs.
    The original article can be found at:
    <http://www.idefense.com/application/poi/display?id=200&type=vulnerabilities&flashstatus=true> http://www.idefense.com/application/poi/display?id=200&type=vulnerabilities&flashstatus=true

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Multiple Vulnerabilities in cURL/libcURL (Kerberos Authentication, NTLM Authentication)"

    Relevant Pages