Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Exploits-HackingTools
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[NEWS] Buffer Overflow in Mozilla Browser Firefox (Heap Corruption)

from [SecuriTeam] Network Security [Permanent Link]
Subject: [NEWS] Buffer Overflow in Mozilla Browser Firefox (Heap Corruption)
Date: 15 Mar 2005 16:13:00 +0200 
The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Buffer Overflow in Mozilla Browser Firefox (Heap Corruption)
------------------------------------------------------------------------


SUMMARY

Remote exploitation of a design error allows an attacker to cause heap 
corruption in the Mozilla browser as well as in Mozilla Firefox, resulting 
in execution of arbitrary code.

DETAILS

Vulnerable Systems:
 * Mozilla Suite version 1.7.3
 * Thunderbird version 1.0
 * Mozilla Firefox version 1.0

Immune Systems:
 * Mozilla Suite version 1.7.6
 * Thunderbird version 1.0.1
 * Mozilla Firefox version 1.0.1

The vulnerability specifically exists in string handling functions, such 
as nsCSubstring::Append, which rely on functions in the file 
mozilla/xpcom/string/src/nsTSubstring.cpp. Certain functions, such as 
nsTSubstring_CharT::Replace() fail to check the return value of functions 
which resize the string.

xpcom/string/src/nsTSubstring.cpp:
1. size_type length = tuple.Length();
 cutStart = PR_MIN(cutStart, Length());

2. ReplacePrep(cutStart, cutLength, length);

3. if (length > 0)
 tuple.WriteTo(mData + cutStart, length);

At [1], length is set to the length of the string to be copied, which is 
the passed to ReplacePrep() at [2]. If the reallocation performed by this 
function fails sets mData to a fixed address.
mData = NS_CONST_CAST(char_type*, char_traits::sEmptyBuffer);
mLength = 0;

The value of sEmptyBuffer is set in xpcom/string/src/nsSubstring.cpp:
static const PRUnichar gNullChar = 0;
const char* nsCharTraits<char> ::sEmptyBuffer = (const char*) &gNullChar;

As the return value is not checked, if the function fails mData is 
pointing at a known memory location. By causing memory to be consumed 
until an out of memory condition occurs, and controlling the value of  the 
string to append, it is possible at [3] to cause arbitrary data to be 
placed in a known location, allowing execution of arbitrary code.

This vulnerability would rely on both knowing the version of the browser, 
which could be obtained from the User-Agent string passed to a malicious 
server, and being able to cause memory exhaustion. It may be possible to 
cause memory exhaustion remotely by either sending a large amount of data 
to the client in the headers, which would require a large amount of 
bandwidth or by using compression to reduce the amount of data that needs 
to be sent to the client, either via a server module like the Apache HTTPd 
mod_deflate, or a file such as a ZIP file referenced by a jar: URI. It 
also may be possible to use a JavaScript to allocate enough memory to 
trigger this vulnerability.

As this vulnerability is triggered in an out of memory condition, it may 
be easier to exploit on systems which have restricted the amount of memory 
a user or process may use.

Vendor Status:
The vendor has confirmed the bug:  
<http://www.mozilla.org/security/announce/mfsa2005-18.html> 
http://www.mozilla.org/security/announce/mfsa2005-18.html
The problem had been fixed with new versions of Mozilla's products.

Disclosure Timeline:
02/09/2005 - Initial vendor notification
02/09/2005 - Initial vendor response
02/28/2005 - Coordinated public disclosure


ADDITIONAL INFORMATION

The information has been provided by  <mailto:labs-no-reply@idefense.com> 
iDEFENSE Labs.
The original article can be found at:  
<http://www.idefense.com/application/poi/display?id=200&type=vulnerabilities&flashstatus=true>
 
http://www.idefense.com/application/poi/display?id=200&type=vulnerabilities&flashstatus=true



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@securiteam.com 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@securiteam.com 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [NEWS] Buffer Overflow in Mozilla Browser Firefox (Heap Corruption), SecuriTeam <=
Previous by Date:  [EXPL] OpenBSD TCP TIMESTAMP Remote DoS, SecuriTeam
Next by Date:  [UNIX] Multiple Vulnerabilities in cURL/libcURL (Kerberos Authentication, NTLM Authentication), SecuriTeam
Previous by Thread:  [EXPL] OpenBSD TCP TIMESTAMP Remote DoS, SecuriTeam
Next by Thread:  [UNIX] Multiple Vulnerabilities in cURL/libcURL (Kerberos Authentication, NTLM Authentication), SecuriTeam
Indexes:  [Date] [Thread] [Top] [All Lists]