Synopsis: Heap overflow in Mozilla Browser <= 1.7.3 NNTP code. Product: Mozilla Browser Version: <= 1.7.3 Vendor: http://www.mozilla.org/ URL: http://isec.pl/vulnerabilities/isec-0020-mozilla.txt CVE: not assigned Author: Maurycy Prodeus Date: Dec 29, 2004 Issue: ====== A critical security vulnerability has been found in Mozilla Project code handling NNTP protocol. Details: ======== Mozilla browser supports NNTP urls. Remote side is able to trigger news:// connection to any server. I found a flaw in NNTP handling code which may cause heap overflow and allow remote attacker to execute arbitrary code on client machine. Bugus function from nsNNTPProtocol.cpp: char *MSG_UnEscapeSearchUrl (const char *commandSpecificData) 329 { 330 char *result = (char*) PR_Malloc (PL_strlen(commandSpecificData) + 1); 331 if (result) 332 { 333 char *resultPtr = result; 334 while (1) 335 { 336 char ch = *commandSpecificData++; 337 if (!ch) 338 break; 339 if (ch == '\\') 340 { 341 char scratchBuf[3]; 342 scratchBuf[0] = (char) *commandSpecificData++; 343 scratchBuf[1] = (char) *commandSpecificData++; 344 scratchBuf[2] = '\0'; 345 int accum = 0; 346 PR_sscanf(scratchBuf, "%X", &accum); 347 *resultPtr++ = (char) accum; 348 } 349 else 350 *resultPtr++ = ch; 351 } 352 *resultPtr = '\0'; 353 } 354 return result; 355 } When commandSpecificData points to last (next is NULL) character which is '\\' copying loop may omit termination of source char array and overflow result buffer. Affected Versions ================= Mozilla Browser <= 1.7.3 with mozilla-mail Solution ========= This bug is fixed in Mozilla 1.7.5. (Bug 264388) Mozilla developer Dan Veditz claims that it cannot be exploitable: "A '\' on the end will certainly trash memory, but at that point you're no longer reading attacker-supplied data;". On my RedHat 9.0 with Mozilla 1.7.3 attached proof of concept code overflows the buffer using attacker-supplied data. I decided to make this bug public because Mozilla Team hasn't warned users. Exploitation ============ I have attached proof of concept HTML file which causes heap corruption and crashes Mozilla 1.7.3 browser (with mozilla-mail). News server must be existing and available. Appendix =========