Full Disclosure mailing list archives
Re: Mozilla Firefox "Host:" Buffer Overflow
From: Dave Aitel <dave () immunitysec com>
Date: Fri, 09 Sep 2005 08:48:38 -0400
It's not consideration to hide the actual risk from users of the product. That's just Microsoft hogwash.
Right now, everyone knows they are at risk, and what to do about it - we can stop using Firefox if we think it's a high enough risk vulnerability to do so. This is definately better than just being in the dark for another week or so until they get the patch done.
-dave Larry Seltzer wrote:
Two interesting points:1) It took several minutes and more browsing elsewhere (in Bugzilla) before my browser blew up after testing the POC. 2) When you reported a "Windows XP SP2 IE 6.0 Vulnerability" (http://security-protocols.com/modules.php?name=News&file=article&sid=2891) and a "Windows XP SP2 Remote Kernel DoS" (http://security-protocols.com/modules.php?name=News&file=article&sid=2783) you left the details of the bug and the POC out. Personally, I generally approve of that, but why don't Mozilla users deserve as much consideration? Larry Seltzer eWEEK.com Security Center Editor http://security.eweek.com/ http://blog.ziffdavis.com/seltzer Contributing Editor, PC Magazinelarryseltzer () ziffdavis com-----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Tom Ferris Sent: Friday, September 09, 2005 2:10 AM To: full-disclosure () lists grok org uk Subject: [Full-disclosure] Mozilla Firefox "Host:" Buffer Overflow Mozilla Firefox "Host:" Buffer Overflow Release Date: September 8, 2005 Date Reported: September 4, 2005 Severity: Critical Vendor: Mozilla Versions Affected: Firefox Win32 1.0.6 and prior Firefox Linux 1.0.6 and prior Firefox 1.5 Beta 1 (Deer Park Alpha 2) Overview: A buffer overflow vulnerability exists within Firefox version 1.0.6 and all other prior versions which allows for an attacker to remotely execute arbitrary code on an affected host. Technical Details: The problem seems to be when a hostname which has all dashes causes the NormalizeIDN call in nsStandardURL::BuildNormalizedSpec to return true, but is sets encHost to an empty string. Meaning, Firefox appends 0 to approxLen and then appends the long string of dashes to the buffer instead. The following HTML code below will reproduce this issue: <A HREF=https:--------------------------------------------- > Simple, huh? ;-] Vendor Status: Mozilla was notified, and im guessing they are working on a patch. Who knows though? Discovered by: Tom Ferris Related Links: www.security-protocols.com/firefox-death.html www.security-protocols.com/advisory/sp-x17-advisory.txt www.security-protocols.com/modules.php?name=News&file=article&sid=2910 Greetings: chico, modify, ac1djazz, dmuz, aempirei, Daniel Sergile, tupac shakur, and the rest of the angrypacket krew. Copyright (c) 2005 Security-Protocols.com Thanks, Tom Ferris Researcher www.security-protocols.com Key fingerprint = 0DFA 6275 BA05 0380 DD91 34AD C909 A338 D1AF 5D78 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Mozilla Firefox "Host:" Buffer Overflow Tom Ferris (Sep 08)
- Re: Mozilla Firefox "Host:" Buffer Overflow Heikki Toivonen (Sep 09)
- Re: Mozilla Firefox "Host:" Buffer Overflow n e w s (Sep 09)
- RE: Mozilla Firefox "Host:" Buffer Overflow Larry Seltzer (Sep 09)
- Re: Mozilla Firefox "Host:" Buffer Overflow Dave Aitel (Sep 09)
- RE: Mozilla Firefox "Host:" Buffer Overflow Larry Seltzer (Sep 09)
- RE: Mozilla Firefox "Host:" Buffer Overflow Bruce Ediger (Sep 09)
- RE: Mozilla Firefox "Host:" Buffer Overflow Larry Seltzer (Sep 09)
- RE: Mozilla Firefox "Host:" Buffer Overflow Bruce Ediger (Sep 09)
- RE: Mozilla Firefox "Host:" Buffer Overflow Bruce Ediger (Sep 09)
- Re: Mozilla Firefox "Host:" Buffer Overflow Dave Aitel (Sep 09)
- Re: Mozilla Firefox "Host:" Buffer Overflow Heikki Toivonen (Sep 09)
- Re: Mozilla Firefox "Host:" Buffer Overflow Andrew R. Reiter (Sep 09)
- Re: Mozilla Firefox "Host:" Buffer Overflow Dave Aitel (Sep 09)
- Re: Mozilla Firefox "Host:" Buffer Overflow Andrew R. Reiter (Sep 09)
- Re: Mozilla Firefox "Host:" Buffer Overflow milw0rm Inc. (Sep 09)