Mozilla Prism v1.0b4 - Stack Overflow Vulnerability

2011-08-29T00:00:00
ID VULNERLAB:80
Type vulnerlab
Reporter Vulnerability Research Laboratory
Modified 2011-08-29T00:00:00

Description

                                        
                                            Document Title:
===============
Mozilla Prism v1.0b4 - Stack Overflow Vulnerability


References (Source):
====================
Video: http://www.vulnerability-lab.com/get_content.php?id=217


Release Date:
=============
2011-08-29


Vulnerability Laboratory ID (VL-ID):
====================================
80


Common Vulnerability Scoring System:
====================================
7.3


Product & Service Introduction:
===============================
Prism is designed to create a better environment for running your favorite web-based applications. Much of what 
we used to accomplish using an application running locally on our computers is moving into the web browser. 
Thanks to advances in web technology, these apps are increasingly powerful and usable. As a result, applications 
like Gmail, Facebook and Google Docs are soaring in popularity.

(Copy of Vendor Homepage: http://labs.mozilla.com/prism/)



Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a Buffer-Overflow vulnerability on Mozilla Prism Secure Browser Engine.


Vulnerability Disclosure Timeline:
==================================
2011-09-01:	Public or Non-Public Disclosure


Discovery Status:
=================
Published


Affected Product(s):
====================

Exploitation Technique:
=======================
Remote


Severity Level:
===============
High


Technical Details & Description:
================================
A Buffer Overflow vulnerability is detected on Mozilla Prism 
The prism software & addon has no URL input size restriction as exception-handling. Local attackers can generate special crafted containers 
to compromise the local/remote system on execution. Remote execution of code via network container files are possible but requires user inter action.

Vulnerable Module(s):
                                                                       [+] URL
                                                                       [+] Name


--- Exception Logs ---

  Problemereignisname:		BEX
  Anwendungsname:		prism.exe
  Anwendungsversion:		1.9.0.3405
  Anwendungszeitstempel:	49f89f9d
  Fehlermodulname:		StackHash_1477
  Fehlermodulversion:		0.0.0.0
  Fehlermodulzeitstempel:	00000000
  Ausnahmeoffset:		00390039
  Ausnahmecode:			c0000005
  Ausnahmedaten:		00000008
  Betriebsystemversion:		6.0.6002.2.2.0.768.3
  Gebietsschema-ID:		1031
  Zusatzinformation 1:		1477
  Zusatzinformation 2:		528bb57b980c1da9bf8c456a3876b4b2
  Zusatzinformation 3:		22f3
  Zusatzinformation 4:		05475e8449807bb817c3945e60bda828

After the crash the MSVCR80 crashs too because of a bound process ...

Problemsignatur:
  Problemereignisname:		APPCRASH
  Anwendungsname:		prism.exe
  Anwendungsversion:		1.9.0.3405
  Anwendungszeitstempel:	49f89f9d
  Fehlermodulname:		MSVCR80.dll
  Fehlermodulversion:		8.0.50727.4016
  Fehlermodulzeitstempel:	49cc5361
  Ausnahmecode:			c0000005
  Ausnahmeoffset:		0001500a
  Betriebsystemversion:		6.0.6002.2.2.0.768.3
  Gebietsschema-ID:		1031
  Zusatzinformation 1:		b909
  Zusatzinformation 2:		f50f35bb1bdeb3eed6178072ceb2495a
  Zusatzinformation 3:		0dbf
  Zusatzinformation 4:		513496628e20510b683769cabf59ab66

The vulnerability is also existing on the browser addon for remote exploitation ...

Problemsignatur:
  Problemereignisname:		BEX
  Anwendungsname:		firefox.exe
  Anwendungsversion:		1.9.0.3399
  Anwendungszeitstempel:	49f1091d
  Fehlermodulname:		StackHash_9a32
  Fehlermodulversion:		0.0.0.0
  Fehlermodulzeitstempel:	00000000
  Ausnahmeoffset:		00410041
  Ausnahmecode:			c0000005
  Ausnahmedaten:		00000008
  Betriebsystemversion:		6.0.6002.2.2.0.768.3
  Gebietsschema-ID:		1031
  Zusatzinformation 1:		9a32
  Zusatzinformation 2:		5c619ea68c3b46f708861a8835d2b5e5
  Zusatzinformation 3:		f208
  Zusatzinformation 4:		e71079d1087215128ac25af60fabae36

Problemsignatur:
  Problemereignisname:	APPCRASH
  Anwendungsname:	firefox.exe
  Anwendungsversion:	1.9.0.3399
  Anwendungszeitstempel:	49f1091d
  Fehlermodulname:	MOZCRT19.dll
  Fehlermodulversion:	8.0.0.0
  Fehlermodulzeitstempel:	49f10980
  Ausnahmecode:	c0000005
  Ausnahmeoffset:	000128da
  Betriebsystemversion:	6.0.6002.2.2.0.768.3
  Gebietsschema-ID:	1031
  Zusatzinformation 1:	5c96
  Zusatzinformation 2:	4f590d68f590cfa1f545b49c8a8defc2
  Zusatzinformation 3:	79ca
  Zusatzinformation 4:	57c55b385489b6eb2c074786b4e64832


Pictures:
                                               ../debugger-analyse.png
                                               ../prism_buffer-overflow.png
                                               ../prism_buffer-overflow2.png
                                               ../ff-plugin_bof.png
                                               ../ff-plugin_bof2.png


Proof of Concept (PoC):
=======================
The vulnerability can be exploited by local or remote attackers. For demonstration or reproduce ...

Manually reproduce ...
1. Open the software
2. Include as local user ... example URL or Name (http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+')
3. Click on ok and generate the file on desktop
4. The service  crashs directly with a nice BEX exception(Overflow)
5. Now the attacker can overwrite the registers

PoC: 
		../0pam0

Same method can be used to verify the bug on the browser-plugin. The result is a stable browser crash as buffer overflow.


Solution - Fix & Patch:
=======================
Restrict the input field of URL & Name to a maximum size & filter the input with a own exception-handling.


Security Risk:
==============
The security risk of the buffer overflow vulnerability is estimated as high.


Credits & Authors:
==================
Vulnerability Research Laboratory


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.vulnerability-lab.com/register
Contact:    admin@vulnerability-lab.com 	- support@vulnerability-lab.com 	       - research@vulnerability-lab.com
Section:    video.vulnerability-lab.com 	- forum.vulnerability-lab.com 		       - news.vulnerability-lab.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission.

    				   	Copyright © 2012 | Vulnerability Laboratory