Is your company interested in security consulting for application penetration testing, code reviews, threat modeling or custom tools development? We have over ten years experience in these specialities.
Contact us today for a free consultation.
Mozilla Firefox IDN "Host:" Buffer Overflow
Release Date:
September 8, 2005
Date Reported:
September 4, 2005
Severity:
Critical
Vendor:
Mozilla
Versions Affected:
Firefox Win32 1.0.6 and prior
Firefox Linux 1.0.6 and prior
Firefox 1.5 Beta 1 (Deer Park Alpha 2)
Overview:
A buffer overflow vulnerability exists within Firefox version 1.0.6 and all other prior
versions which allows for an attacker to remotely execute arbitrary code on a affected
host.
Technical Details:
The problem seems to be when a hostname which has all dashes causes the NormalizeIDN
call in nsStandardURL::BuildNormalizedSpec to return true, but is sets encHost to an
empty string. Meaning, Firefox appends 0 to approxLen and then appends the long
string of dashes to the buffer instead. The following HTML code below will reproduce
this issue:
HREF=https:--------------------------------------------- >
Simple, huh? ;-]
Vendor Status:
Mozilla was notified, and im guessing they are working on a patch. Who knows though?
Discovered by:
Tom Ferris
Related Links:
www.security-protocols.com/firefox-death.html
Greetings:
chico, modify, ac1djazz, dmuz, aempirei, Daniel Sergile, tupac shakur, and the rest of the
angrypacket krew.