Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-Disclosure] Heap overflow in Mozilla Browser <= 1.7.3 NNTP code.

from [Maurycy Prodeus] Network Security [Permanent Link]
Subject: [Full-Disclosure] Heap overflow in Mozilla Browser <= 1.7.3 NNTP code.
Date: Wed, 29 Dec 2004 22:24:21 +0100 (CET) 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Synopsis:  Heap overflow in Mozilla Browser <= 1.7.3 NNTP code. 
Product:   Mozilla Browser
Version:   <= 1.7.3
Vendor:    http://www.mozilla.org/
URL:       http://isec.pl/vulnerabilities/isec-0020-mozilla.txt
CVE:       not assigned
Author:    Maurycy Prodeus <z33d@isec.pl>
Date:      Dec 29, 2004



Issue:
======

A critical security vulnerability has been found in Mozilla Project code
handling NNTP protocol.


Details:
========

Mozilla browser supports NNTP urls. Remote side is able to trigger  news://
connection to any server. I found a flaw in NNTP handling code which may
cause heap overflow and allow remote attacker to execute arbitrary code on
client machine.

Bugus function from nsNNTPProtocol.cpp:

char *MSG_UnEscapeSearchUrl (const char *commandSpecificData)
329 {
330     char *result = (char*) PR_Malloc (PL_strlen(commandSpecificData) + 1);
331     if (result)
332     {
333         char *resultPtr = result;
334         while (1)
335         {
336             char ch = *commandSpecificData++;
337             if (!ch)
338                 break;
339             if (ch == '\\')
340             {
341                 char scratchBuf[3];
342                 scratchBuf[0] = (char) *commandSpecificData++;
343                 scratchBuf[1] = (char) *commandSpecificData++;
344                 scratchBuf[2] = '\0';
345                 int accum = 0;
346                 PR_sscanf(scratchBuf, "%X", &accum);
347                 *resultPtr++ = (char) accum;
348             }
349             else
350                 *resultPtr++ = ch;
351         }
352         *resultPtr = '\0';
353     }
354     return result;
355 }

When commandSpecificData points to last (next is NULL) character which
is '\\' copying loop may omit termination of source char array and overflow
result buffer.


Affected Versions
=================

Mozilla Browser <= 1.7.3 with mozilla-mail

Solution
=========

This bug is fixed in Mozilla 1.7.5. (Bug 264388)
Mozilla developer Dan Veditz claims that it cannot be exploitable:
"A '\' on the end will certainly trash memory, but at that point you're no
longer reading attacker-supplied data;". 

On my RedHat 9.0 with Mozilla 1.7.3 attached proof of concept code 
overflows the buffer using attacker-supplied data. I decided to make this
bug public because Mozilla Team hasn't warned users.


Exploitation
============

I have attached proof of concept HTML file which causes heap corruption
and crashes Mozilla 1.7.3 browser (with mozilla-mail). News server must be
existing and available.


- -- 
Maurycy Prodeus
iSEC Security Research
http://isec.pl/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFB0yCXC+8U3Z5wpu4RAgmGAKDrytVxxUc0vS/9+BZNf+P+lGyoLQCeL5wN
atw5z5/GvBsG9SVKWeGZSbk=
=eTqU
-----END PGP SIGNATURE-----


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-Disclosure] Heap overflow in Mozilla Browser <= 1.7.3 NNTP code., Maurycy Prodeus <=
Previous by Date:  Re: [Full-Disclosure] And you're proud of this Mike Evanchick?, Michael Reilly
Next by Date:  [Full-Disclosure] Re: Fwd: Re: [USN-52-1] vim vulnerability, Ciaran McCreesh
Previous by Thread:  [ GLSA 200412-24 ] Xpdf, GPdf: New integer overflows, Thierry Carrez
Next by Thread:  [Full-Disclosure] Re: Fwd: Re: [USN-52-1] vim vulnerability, Ciaran McCreesh
Indexes:  [Date] [Thread] [Top] [All Lists]