[prev in list] [next in list] [prev in thread] [next in thread]
List: mozilla-security
Subject: IRC buffer overflow and file detection vulnerability?
From: Scott Gifford <sgifford () suspectclass ! com>
Date: 2002-04-30 20:15:47
[Download RAW message or body]
Here's another report from BugTraq/NTBugTraq about a security problem
in Mozilla/NS6. The comments in the beginning are in response to
GreyMagic's report that Netscape wasn't handling security bugs and the
Bug Bounty properly (see article <ly7kmpdk0v.fsf@gfn.org> posted by me
just a few minutes ago).
Thor Larholm <Thor@jubii.dk> writes:
> Disturbing.
>
> Netscape sure must be in financial problems since they are selling out on
> their users security for a lousy $1000.
>
> I know for one that I personally will release any future Netscape advisories
> with full public disclosure and without prior Netscape notification. As a
> matter of fact, why not start now ?
>
> The IRC:// protocol inhibited by Mozilla/NS6 seems to have a buffer overrun.
> A typical IRC URL could look like this:
>
> IRC://IRC.YOUR.TLD/#YOURCHANNEL
>
> The #YOURCHANNEL part is copied to a buffer that has a limit of 32K.
> If the input exceeds this limit, Mozilla 1.0 RC1 crashes with the following
> error:
>
> The exception unknown software exception (0xc00000fd) occured in the
> application at location 0x60e42edf
>
> Mozilla 0.9.9 gives a similar exception:
>
> The exception unknown software exception (0xc00000fd) occured in the
> application at location 0x60dd2c79.
>
> Other versions of Mozilla/NS6/Galeon likely share the same flaw.
> I haven't tested further on how practically exploitable this is.
> Short example online at
>
> http://jscript.dk/2002/4/moz1rc1tests/ircbufferoverrun.html
>
> Furthermore, Mozilla/Galeon/NS6 is prone to a local file detection
> vulnerability.
>
> When embedding a stylesheet with the <LINK> element, access to CSS files
> from other protocols is prohibited by the security manager. A simple HTTP
> redirect circumvents this security restriction and it becomes possible to
> use local or remote files of any type, with the side effect that you can
> detect if specific local files exist.
>
> http://jscript.dk/2002/4/NS6Tests/LinkLocalFileDetect.asp
>
>
> Regards
> Thor Larholm
> Jubii A/S - Internet Programmer
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic