Operating System:

Published:

01 March 2005

Protect yourself against future threats.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

           ESB-2005.0194 -- iDEFENSE Security Advisory 02.28.05
          Mozilla Firefox and Mozilla Browser Out Of Memory Heap
                          Corruption Design Error
                               1 March 2005

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Mozilla Firefox
                   Mozilla Thunderbird
                   Mozilla Suite
Publisher:         iDEFENSE
Impact:            Execute Arbitrary Code/Commands
                   Denial of Service
Access:            Remote/Unauthenticated
CVE Names:         CAN-2005-0255

Original Bulletin: http://www.idefense.com/application/poi/display?id=200
                   http://www.mozilla.org/security/announce/mfsa2005-18.html

- --------------------------BEGIN INCLUDED TEXT--------------------

Mozilla Firefox and Mozilla Browser Out Of Memory Heap Corruption Design 
Error

iDEFENSE Security Advisory 02.28.05
www.idefense.com/application/poi/display?id=200&type=vulnerabilities
February 28, 2005

I. BACKGROUND

Mozilla is an open-source web browser, designed for standards 
compliance, performance and portability. Further information about the 
browser is available at:

    http://www.mozilla.org

II. DESCRIPTION

Remote exploitation of a design error in Mozilla 1.7.3 and Firefox 1.0 
may allow an attacker to cause heap corruption, resulting in execution 
of arbitrary code.

The vulnerability specifically exists in string handling functions, 
such as nsCSubstring::Append, which rely on functions in the file 
mozilla/xpcom/string/src/nsTSubstring.cpp. Certain functions, such as 
nsTSubstring_CharT::Replace() fail to check the return value of
functions which resize the string.

xpcom/string/src/nsTSubstring.cpp:

[1] size_type length = tuple.Length();

    cutStart = PR_MIN(cutStart, Length());

[2] ReplacePrep(cutStart, cutLength, length);

[3] if (length > 0)
      tuple.WriteTo(mData + cutStart, length);


At [1], length is set to the length of the string to be copied, which
is the passed to ReplacePrep() at [2]. If the reallocation performed by
this function fails sets mData to a fixed address.

            mData = NS_CONST_CAST(char_type*, char_traits::sEmptyBuffer);
            mLength = 0;

The value of sEmptyBuffer is set in xpcom/string/src/nsSubstring.cpp:

static const PRUnichar gNullChar = 0;

const char*      nsCharTraits<char>     ::sEmptyBuffer = (const char*) &gNullChar;

As the return value is not checked, if the function fails mData is
pointing at a known memory location. By causing memory to be consumed
until an out of memory condition occurs, and controlling the value of
the string to append, it is possible at [3] to cause arbitrary data to
be placed is a known location, allowing execution of arbitrary code.

This vulnerability would rely on both knowing the version of the
browser, which could be obtained from the User-Agent string passed to a
malicious server, and being able to cause memory exhaustion. It may be
possible to cause memory exhaustion remotely by either sending a large
amount of data to the client in the headers, which would require a large
amount of bandwidth or by using compression to reduce the amount of data
that needs to be sent to the client, either via a server module like the
Apache httpd mod_deflate, or a file such as a ZIP file referenced by a
jar: URI. It also may be possible to use a javascript to allocate enough
memory to trigger this vulnerability.

As this vulnerability is triggered in an out of memory condition, it may
be easier to exploit on systems which have restricted the amount of
memory a user or process may use.

III. ANALYSIS

Remote exploitation of this vulnerability may allow execution of 
arbitrary code with the privileges of the logged in user. A failed 
exploitation attempt may result in the browser crashing.

IV. DETECTION

iDEFENSE Labs have confirmed The Mozilla Organization's Mozilla 1.7.1 
and 1.7.3, as well as Firefox 0.10.1 are vulnerable to this
issue. A check on the source code for Firefox 1.0 suggests it is also
vulnerable. It is suspected that all previous versions of both browsers
are vulnerable.

V. WORKAROUND

iDEFENSE is currently unaware of any effective workarounds for this 
vulnerability.

VI. VENDOR RESPONSE

Vendor advisory:
   http://www.mozilla.org/security/announce/mfsa2005-18.html

Raw bug report:
   https://bugzilla.mozilla.org/show_bug.cgi?id=277549

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2005-0255 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

02/09/2005  Initial vendor notification
02/09/2005  Initial vendor response
02/28/2005  Coordinated public disclosure

IX. CREDIT

Gaël Delalleau is credited with discovering this vulnerability.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright © 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDEFENSE. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email customerservice@idefense.com for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQiO9gih9+71yA2DNAQI/EgP/VzgsxpNNiESkYp+459y5xm+qlmdo0npP
nf3vawUeNK6+tcEfGc5Me7igVIX8D+n91Kd4jm87AyyL30tKYgY9xSOub0KuYz8y
QSi41F3lmAk2jPWWcDemgONDAeTdWN+rxQ25kCqPDuS47QLnkDS/gEF2eeEJSSjY
1ANCO6ylyF0=
=ftjf
-----END PGP SIGNATURE-----