[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: Re: [Full-disclosure] iDefense Security Advisory 10.28.09: Mozilla
From: Sébastien_Hénarès <henares.sebastien () gmail ! com>
Date: 2009-10-29 15:45:48
Message-ID: 426c2b930910290845x3d250937pa1fe69e93efff49a () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
where is the test vuln code ?
2009/10/28 iDefense Labs <labs-no-reply@idefense.com>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> iDefense Security Advisory 10.28.09
> http://labs.idefense.com/intelligence/vulnerabilities/
> Oct 28, 2009
>
> I. BACKGROUND
>
> Firefox is the Mozilla Foundation's open source internet web browser.
> Among the browser's capabilities is the display of GIF images. GIF is a
> widely used image format with features such as loss-less compression,
> animation and color palettes. For more information, visit the URLs
> shown below.
>
> http://www.mozilla.com/firefox/
>
> http://en.wikipedia.org/wiki/Graphics_Interchange_Format
>
> II. DESCRIPTION
>
> Remote exploitation of a buffer overflow in the Mozilla Foundation's
> libpr0n image processing library allows attackers to execute arbitrary
> code.
>
> The libpr0n GIF parser was designed using a state machine which is
> represented as a series of switch/case statements. One particularly
> interesting state, 'gif_image_header', is responsible for interpreting
> a single image/frame description record. A single GIF file may contain
> many images, each with a different color map associated.
>
> The problem lies in the handling of changes to the color map of
> subsequent images in a multiple-image GIF file. Memory reallocation is
> not managed correctly and can result in an exploitable heap overflow
> condition.
>
> III. ANALYSIS
>
> Exploitation of this vulnerability results in the execution of arbitrary
> code with the privileges of the user running the vulnerable application.
> To exploit this vulnerability, a targeted user must load a malicious Web
> page created by an attacker. An attacker typically accomplishes this via
> social engineering or injecting content into compromised, trusted sites.
>
> IV. DETECTION
>
> iDefense confirmed the existence of this vulnerability using Mozilla
> Firefox versions 3.0.13 and 3.5.2 on 32-bit Windows XP SP3. Other
> versions, and potentially other applications using libpr0n, are
> suspected to be vulnerable.
>
> V. WORKAROUND
>
> Although it is not widely viewed as a viable workaround, disabling
> automatic image loading can prevent exploitation of this vulnerability.
> The following steps explains how to disable this setting on Firefox
> 3.0.x.
>
> 1. From the "Tools" menu, select "Options"
> 2. Navigate to the "Content" settings.
> 3. Ensure that "Load images automatically" is not checked.
>
> VI. VENDOR RESPONSE
>
> Mozilla has released a patch which fixes this issue in Firefox 3.5.4,
> Firefox 3.0.15, and SeaMonkey 2.0. Information about downloadable
> vendor updates can be found by clicking on the URL shown.
>
> http://www.mozilla.com/en-US/firefox/ie.html
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has assigned the
> name CVE-2009-3373 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org/), which standardizes names for
> security problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 08/20/2009 - Initial Vendor Notification
> 10/27/2009 - Vendor Public Disclosure
> 10/28/2009 - iDefense Public Disclosure
>
> IX. CREDIT
>
> This vulnerability was reported to iDefense by regenrecht.
>
> Get paid for vulnerability research
> http://labs.idefense.com/methodology/vulnerability/vcp.php
>
> Free tools, research and upcoming events
> http://labs.idefense.com/
>
> X. LEGAL NOTICES
>
> Copyright © 2009 iDefense, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please e-mail customerservice@idefense.com for permission.
>
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available information. Use
> of the information constitutes acceptance for use in an AS IS condition.
> There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct,
> indirect, or consequential loss or damage arising from use of, or
> reliance on, this information.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iD8DBQFK6J6Ybjs6HoxIfBkRAn01AKDDafS/+W3ifh/UXOfAMQgGpk/YGgCfc0Uo
> 4FncE3T7P7SeNFaDcuNg3G8=
> =/3we
> -----END PGP SIGNATURE-----
>
[Attachment #5 (text/html)]
where is the test vuln code ?<br><br><div class="gmail_quote">2009/10/28 iDefense Labs <span \
dir="ltr"><<a href="mailto:labs-no-reply@idefense.com">labs-no-reply@idefense.com</a>></span><br><blockquote \
class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt \
0.8ex; padding-left: 1ex;">
-----BEGIN PGP SIGNED MESSAGE-----<br>
Hash: SHA1<br>
<br>
iDefense Security Advisory 10.28.09<br>
<a href="http://labs.idefense.com/intelligence/vulnerabilities/" \
target="_blank">http://labs.idefense.com/intelligence/vulnerabilities/</a><br> Oct 28, 2009<br>
<br>
I. BACKGROUND<br>
<br>
Firefox is the Mozilla Foundation's open source internet web browser.<br>
Among the browser's capabilities is the display of GIF images. GIF is a<br>
widely used image format with features such as loss-less compression,<br>
animation and color palettes. For more information, visit the URLs<br>
shown below.<br>
<br>
<a href="http://www.mozilla.com/firefox/" \
target="_blank">http://www.mozilla.com/firefox/</a><br> <br>
<a href="http://en.wikipedia.org/wiki/Graphics_Interchange_Format" \
target="_blank">http://en.wikipedia.org/wiki/Graphics_Interchange_Format</a><br> <br>
II. DESCRIPTION<br>
<br>
Remote exploitation of a buffer overflow in the Mozilla Foundation's<br>
libpr0n image processing library allows attackers to execute arbitrary<br>
code.<br>
<br>
The libpr0n GIF parser was designed using a state machine which is<br>
represented as a series of switch/case statements. One particularly<br>
interesting state, 'gif_image_header', is responsible for interpreting<br>
a single image/frame description record. A single GIF file may contain<br>
many images, each with a different color map associated.<br>
<br>
The problem lies in the handling of changes to the color map of<br>
subsequent images in a multiple-image GIF file. Memory reallocation is<br>
not managed correctly and can result in an exploitable heap overflow<br>
condition.<br>
<br>
III. ANALYSIS<br>
<br>
Exploitation of this vulnerability results in the execution of arbitrary<br>
code with the privileges of the user running the vulnerable application.<br>
To exploit this vulnerability, a targeted user must load a malicious Web<br>
page created by an attacker. An attacker typically accomplishes this via<br>
social engineering or injecting content into compromised, trusted sites.<br>
<br>
IV. DETECTION<br>
<br>
iDefense confirmed the existence of this vulnerability using Mozilla<br>
Firefox versions 3.0.13 and 3.5.2 on 32-bit Windows XP SP3. Other<br>
versions, and potentially other applications using libpr0n, are<br>
suspected to be vulnerable.<br>
<br>
V. WORKAROUND<br>
<br>
Although it is not widely viewed as a viable workaround, disabling<br>
automatic image loading can prevent exploitation of this vulnerability.<br>
The following steps explains how to disable this setting on Firefox<br>
3.0.x.<br>
<br>
1. From the "Tools" menu, select "Options"<br>
2. Navigate to the "Content" settings.<br>
3. Ensure that "Load images automatically" is not checked.<br>
<br>
VI. VENDOR RESPONSE<br>
<br>
Mozilla has released a patch which fixes this issue in Firefox 3.5.4,<br>
Firefox 3.0.15, and SeaMonkey 2.0. Information about downloadable<br>
vendor updates can be found by clicking on the URL shown.<br>
<br>
<a href="http://www.mozilla.com/en-US/firefox/ie.html" \
target="_blank">http://www.mozilla.com/en-US/firefox/ie.html</a><br> <br>
VII. CVE INFORMATION<br>
<br>
The Common Vulnerabilities and Exposures (CVE) project has assigned the<br>
name CVE-2009-3373 to this issue. This is a candidate for inclusion in<br>
the CVE list (<a href="http://cve.mitre.org/" target="_blank">http://cve.mitre.org/</a>), which \
standardizes names for<br> security problems.<br>
<br>
VIII. DISCLOSURE TIMELINE<br>
<br>
08/20/2009 - Initial Vendor Notification<br>
10/27/2009 - Vendor Public Disclosure<br>
10/28/2009 - iDefense Public Disclosure<br>
<br>
IX. CREDIT<br>
<br>
This vulnerability was reported to iDefense by regenrecht.<br>
<br>
Get paid for vulnerability research<br>
<a href="http://labs.idefense.com/methodology/vulnerability/vcp.php" \
target="_blank">http://labs.idefense.com/methodology/vulnerability/vcp.php</a><br> <br>
Free tools, research and upcoming events<br>
<a href="http://labs.idefense.com/" target="_blank">http://labs.idefense.com/</a><br>
<br>
X. LEGAL NOTICES<br>
<br>
Copyright © 2009 iDefense, Inc.<br>
<br>
Permission is granted for the redistribution of this alert<br>
electronically. It may not be edited in any way without the express<br>
written consent of iDefense. If you wish to reprint the whole or any<br>
part of this alert in any other medium other than electronically,<br>
please e-mail <a href="mailto:customerservice@idefense.com">customerservice@idefense.com</a> \
for permission.<br> <br>
Disclaimer: The information in the advisory is believed to be accurate<br>
at the time of publishing based on currently available information. Use<br>
of the information constitutes acceptance for use in an AS IS condition.<br>
There are no warranties with regard to this information. Neither the<br>
author nor the publisher accepts any liability for any direct,<br>
indirect, or consequential loss or damage arising from use of, or<br>
reliance on, this information.<br>
-----BEGIN PGP SIGNATURE-----<br>
Version: GnuPG v1.4.7 (MingW32)<br>
Comment: Using GnuPG with Mozilla - <a href="http://enigmail.mozdev.org/" \
target="_blank">http://enigmail.mozdev.org/</a><br> <br>
iD8DBQFK6J6Ybjs6HoxIfBkRAn01AKDDafS/+W3ifh/UXOfAMQgGpk/YGgCfc0Uo<br>
4FncE3T7P7SeNFaDcuNg3G8=<br>
=/3we<br>
-----END PGP SIGNATURE-----<br>
</blockquote></div><br>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic