Mozilla-based browsers contain a buffer overflow in handling URIs containing a malformed IDN hostname

Overview

A vulnerability in the way Mozilla products and derivative programs handle certain malformed URIs could allow a remote attacker to execute arbitrary code on a vulnerable system.

Description

Mozilla products, including the Mozilla Suite, and Mozilla Firefox are vulnerable to a buffer overflow in the way they handle URIs containing certain IDN encoded hostnames. An error in the conversion of a hostname consisting of Unicode “soft hyphen” characters (U+00AD) to the UTF-8 character set will cause a buffer overflow. By convincing a user to view an HTML document (e.g., via a web page or email message), an attacker could execute arbitrary code with the privileges of the user running the vulnerable application.

Note: Exploit code for this vulnerability is publicly available.

---

Impact

A remote attacker may be able to execute arbitrary code on a vulnerable system. The code would be executed in the context of the user running the vulnerable browser. In some instances, exploitation may only cause the browser to crash, resulting in a denial of service.

---

Solution

Upgrade

The Mozilla project has released version 1.0.7 of the Firefox web browser which includes a patch for this issue. Firefox users are encouraged to upgrade to this version of the software.

The Mozilla project has also released version 1.7.12 of the Mozilla Suite product which includes a patch for this issue. Mozilla Suite users are encouraged to upgrade to this version of the software.

---

Workarounds

Disable the use of IDN

Mozilla and Firefox users are encouraged to consider disabling IDN. While implementing this workaround does not correct the buffer overflow error, it prevents the vulnerable portion of code from being exploited. This can be accomplished by adding the following line to the prefs.js file:

user_pref("network.enableIDN", false);

or by following these steps:

1. Open the browser, type about:config into the location bar, and hit enter.
2. In the “Filter” dialog box, enter “network.enableIDN” (without the quotation marks) and hit enter.
3. A single Preference Name should appear in the results.
4. Double-click on the result. In Firefox, this will toggle the value from true to false. In Mozilla, this will open a dialog box titled “Enter boolean value.” Enter “false” into this box and hit enter.

---

Vendor Information

573857

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Fedora Project __ Affected

Updated: September 19, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Fedora Project has release the following update notifications in response to this issue:

  * [FEDORA-2005-871](<https://www.redhat.com/archives/fedora-announce-list/2005-September/msg00038.html>)
  * [FEDORA-2005-872](<https://www.redhat.com/archives/fedora-announce-list/2005-September/msg00039.html>)
  * [FEDORA-2005-873](<https://www.redhat.com/archives/fedora-announce-list/2005-September/msg00040.html>)
  * [FEDORA-2005-874](<https://www.redhat.com/archives/fedora-announce-list/2005-September/msg00041.html>)

Users are encouraged to review these notices and apply the appropriate patches that they refer to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23573857 Feedback>).

Gentoo Linux __ Affected

Updated: September 19, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Gentoo Linux security team has published Gentoo Linux Security Advisory GLSA 200509-11 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23573857 Feedback>).

Mozilla, Inc. __ Affected

Notified: September 09, 2005 Updated: September 09, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Mozilla Foundation Security Team has published preliminary solution information in the following document:

What Mozilla users should know about the IDN buffer overflow security issue

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23573857 Feedback>).

Red Hat, Inc. __ Affected

Updated: September 16, 2005

Status

Affected

Vendor Statement

`This issue affects the Firefox browser as shipped in Red Hat Enterprise
Linux 4, and the Mozilla browser in Red Hat Enterprise Linux 2.1, 3, and
4. Updated Firefox and Mozilla packages to correct this issue are
available at the URL below and by using the Red Hat Network ‘up2date’
tool.

<http://rhn.redhat.com/errata/CAN-2005-2871.html&gt;`

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ubuntu __ Affected

Updated: September 16, 2005

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Ubuntu Linux security team has published Ubuntu Security Notice USN-181-1 in response to this issue. Users are encouraged to review this notice and apply the patches that it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23573857 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://www.mozilla.org/security/idn.html&gt;
• http://www.security-protocols.com/modules.php?name=News&file=article&sid=2910
• <http://security-protocols.com/advisory/sp-x17-advisory.txt&gt;
• <http://secunia.com/advisories/16764/&gt;
• <http://secunia.com/advisories/16766/&gt;
• <http://secunia.com/advisories/16767/&gt;
• <https://bugzilla.mozilla.org/show_bug.cgi?id=307259&gt;
• <http://www.securityfocus.com/bid/14784&gt;
• <http://xforce.iss.net/xforce/xfdb/22207&gt;
• <http://www.frsirt.com/english/advisories/2005/1690&gt;
• <http://www.ciac.org/ciac/bulletins/p-303.shtml&gt;

Acknowledgements

This vulnerability was reported by Tom Ferris.

This document was written by Chad Dougherty and Will Dormann.

Other Information

CVE IDs:	CVE-2005-2871
Severity Metric:	19.13 Date Public: