'IRC buffer overflow and file detection vulnerability?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       mozilla-security
Subject:    IRC buffer overflow and file detection vulnerability?
From:       Scott Gifford <sgifford () suspectclass ! com>
Date:       2002-04-30 20:15:47
[Download RAW message or body]

Here's another report from BugTraq/NTBugTraq about a security problem
in Mozilla/NS6.  The comments in the beginning are in response to
GreyMagic's report that Netscape wasn't handling security bugs and the
Bug Bounty properly (see article <ly7kmpdk0v.fsf@gfn.org> posted by me
just a few minutes ago).

Thor Larholm <Thor@jubii.dk> writes:

> Disturbing.
> 
> Netscape sure must be in financial problems since they are selling out on
> their users security for a lousy $1000.
> 
> I know for one that I personally will release any future Netscape advisories
> with full public disclosure and without prior Netscape notification. As a
> matter of fact, why not start now ?
> 
> The IRC:// protocol inhibited by Mozilla/NS6 seems to have a buffer overrun.
> A typical IRC URL could look like this:
> 
> IRC://IRC.YOUR.TLD/#YOURCHANNEL
> 
> The #YOURCHANNEL part is copied to a buffer that has a limit of 32K. 
> If the input exceeds this limit, Mozilla 1.0 RC1 crashes with the following
> error: 
> 
> The exception unknown software exception (0xc00000fd) occured in the
> application at location 0x60e42edf 
> 
> Mozilla 0.9.9 gives a similar exception: 
> 
> The exception unknown software exception (0xc00000fd) occured in the
> application at location 0x60dd2c79.
> 
> Other versions of Mozilla/NS6/Galeon likely share the same flaw.
> I haven't tested further on how practically exploitable this is.
> Short example online at
> 
> http://jscript.dk/2002/4/moz1rc1tests/ircbufferoverrun.html
> 
> Furthermore, Mozilla/Galeon/NS6 is prone to a local file detection
> vulnerability.
> 
> When embedding a stylesheet with the <LINK> element, access to CSS files
> from other protocols is prohibited by the security manager. A simple HTTP
> redirect circumvents this security restriction and it becomes possible to
> use local or remote files of any type, with the side effect that you can
> detect if specific local files exist.
> 
> http://jscript.dk/2002/4/NS6Tests/LinkLocalFileDetect.asp
> 
> 
> Regards
> Thor Larholm
> Jubii A/S - Internet Programmer

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic