Closed Bug 264388 Opened 20 years ago Closed 20 years ago

Heap overflow in MSG_UnEscapeSearchUrl

Categories

(MailNews Core :: Networking: NNTP, defect)

Product:
MailNews Core
Component:
Networking: NNTP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: BenB, Assigned: BenB)

References

Details

(4 keywords, Whiteboard: [sg:dos])

Attachments

(3 files, 2 obsolete files)

Proof of concept
216 bytes, text/html
Details
patch
867 bytes, patch
Details | Diff | Splinter Review
Patch, Way 2, Version 3
1.73 KB, patch
Bienvenu
: review+
roc
: superreview+
dveditz
: approval-aviary+
dveditz
: approval1.7.5+
Details | Diff | Splinter Review
From Maurycy Prodeus <z33d isec.pl>: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Issue: ====== A critical security vulnerability has been found in Mozilla Project code handling NNTP protocol. Details: ======== Mozilla browser supports NNTP urls. Remote side is able to trigger news:// connection to any server. We found a flaw in NNTP handling code which may cause heap overflow and allow remote attacker to execute arbitrary code on client machine. Bugus function from nsNNTPProtocol.cpp: char *MSG_UnEscapeSearchUrl (const char *commandSpecificData) 329 { 330 char *result = (char*) PR_Malloc (PL_strlen(commandSpecificData) + 1); 331 if (result) 332 { 333 char *resultPtr = result; 334 while (1) 335 { 336 char ch = *commandSpecificData++; 337 if (!ch) 338 break; 339 if (ch == '\\') 340 { 341 char scratchBuf[3]; 342 scratchBuf[0] = (char) *commandSpecificData++; 343 scratchBuf[1] = (char) *commandSpecificData++; 344 scratchBuf[2] = '\0'; 345 int accum = 0; 346 PR_sscanf(scratchBuf, "%X", &accum); 347 *resultPtr++ = (char) accum; 348 } 349 else 350 *resultPtr++ = ch; 351 } 352 *resultPtr = '\0'; 353 } 354 return result; 355 } When commandSpecificData points to last (next is NULL) character which is '\\' copying loop may omit termination of source char array and overflow result buffer. Exploitation ============ I have attached proof of concept HTML file which causes heap corruption and crashes Mozilla 1.7.3 browser (with mozilla-mail). News server must be existing and available. - -- Maurycy Prodeus iSEC Security Research http://isec.pl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBauFTC+8U3Z5wpu4RAnLzAJ49gRC+SpRN93/0r5oHqEoRs1r6GgCgild3 A3te72LQqkW5KjonyD98jSA= =BnNQ -----END PGP SIGNATURE-----
Flags: blocking1.7.x?
Flags: blocking-aviary1.0mac?
Flags: blocking-aviary1.0?
Flags: blocking1.7.x? → blocking1.7.x+
Can we get the attachment in here?
Attached file Proof of concept
by Maurycy Prodeus
*** Bug 264394 has been marked as a duplicate of this bug. ***
Summary: Explotable heap overflow in MSG_UnEscapeSearchUrl → Exploitable heap overflow in MSG_UnEscapeSearchUrl
Assignee: sspitzer → ben.bucksch
I confirmed the overflow and crash A '\' on the end will certainly trash memory, but at that point you're no longer reading attacker-supplied data; Are you claiming this is exploitable other than as a crash/denial-of-service? How would you do that? The "commandSpecificData" passed to this function is a pointer into a string that was strdup()d in nsNNTPProtocol::ParseURL(). The URL parsed there was an allocated null-terminated string pulled out of the original content. Whatever might have been after the null in the original URL location is gone.
Keywords: crash
Whiteboard: [sg:dos]
this is old ugly code, wouldn't be a bad idea to examine the rest of the buffer usage here. Possibly convert a lot of it to the string classes.
Attached patch patchSplinter Review
Summary: Exploitable heap overflow in MSG_UnEscapeSearchUrl → Heap overflow in MSG_UnEscapeSearchUrl
Here's a rewrite using nsStrings. It assumes that the Substring class makes appropriate checks, if the chars are there, and returns something meaningful. It's completely untested, probably doesn't even compile (we're desparately lacking reference docs for nsString), because my build is still compiling.
Attached patch Patch, Way 2, Version 2 (obsolete) — Splinter Review
oops.
Attachment #162109 - Attachment is obsolete: true
This now compiles. Still can't test, because I am behind a proxy, so somebody else will have to do that.
Attachment #162110 - Attachment is obsolete: true
Patch tests fine. More string copies involved, and I'm not so sure about replacing bogus escapes with "X"... need input from the mailnews folks.
+ result.Replace(slashpos, 3, err == NS_OK && ch != 0 ? (char) ch : 'X'); + slashpos++; This doesn't look right. Since Replace can shorten the string at that point, you might skip over characters when you have a sequence of multiple escaped characters in a row. This would be much simpler and safer (and probably faster) if you just accumulated the result in a different string.
> Since Replace can shorten the string at that point, you > might skip over characters when you have a sequence of multiple escaped > characters in a row. hm, I replace "\41" with "A". slashpos points to "\". So, slashpos++ should point to the char after "A" after the replacement.
Attachment #162141 - Flags: superreview?(roc)
Attachment #162141 - Flags: review?(bienvenu)
Comment on attachment 162141 [details] [diff] [review] Patch, Way 2, Version 3 oops, you're right. My mistake.
Attachment #162141 - Flags: superreview?(roc) → superreview+
Attachment #162141 - Flags: review?(bienvenu) → review+
is this ready for the aviary branch too? we should get it in soon if it is.
Flags: blocking-aviary1.0? → blocking-aviary1.0+
Thanks for the patch Ben. I just checked this into the aviary 1.0 branch.
Flags: blocking-aviary1.0mac?
Keywords: fixed-aviary1.0
Comment on attachment 162141 [details] [diff] [review] Patch, Way 2, Version 3 de facto a=aviary: it's in already :-) a=dveditz for the 1.7 branch
Attachment #162141 - Flags: approval1.7.x+
Attachment #162141 - Flags: approval-aviary+
Blocks: sbb?
Checked into trunk.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Checked into 1.7 branch. dveditz, I don't know the right keyword, can you set that, please? In both checkins, I changed the superfluous PRUnichar('\\') to '\\' (for nsCAutoString::FindChar).
Product: MailNews → Core
now that 1.7.5 and tbird 1.0 are released, can we remove the security flag?
Blocks: 248511
can somebody open up Bug 264394, too? it's a dupe of this one... marc
Blocks: sbb+
No longer blocks: sbb?
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: