[NEWS] Mozilla Network Security Services SSLv2 Server Stack Overflow Vulnerability

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Mozilla Network Security Services SSLv2 Server Stack Overflow
Vulnerability
------------------------------------------------------------------------


SUMMARY

<http://www.mozilla.org/projects/security/pki/nss/tools/> Network
Security Services (NSS) is a set of libraries designed to support
cross-platform development of security-enabled client and server
applications, providing support for, among others, SSL (Secure Socket
Layer) protocol version 2 and 3.

Remote exploitation of an input validation error causing an integer
underflow in version 3.10 of the Mozilla Foundation's Network Security
Services (NSS) may allow an attacker to cause a stack-based buffer
overflow and execute arbitrary code on the affected application.

DETAILS

Vulnerable Systems:
* Mozilla Network Security Services versions 3.10 and 3.11.3
* These libraries are used in a variety of products from multiple vendors
including Sun Microsystems, Red Hat and Mozilla.
* Previous versions are also likely to be affected.
* The names 'libnss3.so' on Linux based systems or 'nss3.dll' on Windows
based systems may indicate the library is being used by an application.

The vulnerability specifically exists in code responsible for handling the
client master key. While negotiating an SSLv2 session, a client can
specify invalid parameters which causes an integer underflow. The
resulting value is used as the amount of memory to copy into a fixed size
stack buffer. As a result, a potentially exploitable stack-based buffer
overflow condition occurs.

Successful exploitation of this vulnerability would allow an attacker to
execute arbitrary code in the context of the affected server. No
authentication is required to reach the vulnerable code. No user
interaction is required.

Since this vulnerability is in library code used by multiple applications,
the details of how an attacker would exploit it vary. In all cases, an
attacker would need to specify invalid parameters as part of the SSLv2
handshake.

Code execution has been demonstrated to be possible under Windows 2000
with a server utilizing the affected library. Depending on the precise
details of the server, this vulnerability may also be exploitable on other
platforms.

Vendor Status:
The Mozilla Foundation has addressed this vulnerability in
<http://www.mozilla.org/security/announce/2007/mfsa2007-06.html> Mozilla
Foundation Security Advisory 2007-06.

Disclosure Timeline:
* 12/18/2006 - Initial vendor notification
* 12/19/2006 - Initial vendor response
* 02/23/2007 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by iDefense.
The original article can be found at:

<http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=483>
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=483



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages