Closed Bug 264394 Opened 20 years ago Closed 20 years ago

heap overwrite in NNTP protocol handler

Categories

(MailNews Core :: Networking: NNTP, defect)

Product:
MailNews Core
Component:
Networking: NNTP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 264388

People

(Reporter: dveditz, Assigned: sspitzer)

Details

(Keywords: crash, Whiteboard: [sg:dupe 264388])

Attachments

(1 file)

crashing example (uses a popup)
216 bytes, text/html
Details 
sent to security@mozilla.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Issue:
======

A critical security vulnerability has been found in Mozilla Project code 
handling NNTP protocol.


Details:
========

Mozilla browser supports NNTP urls. Remote side is able to trigger  news:// 
connection to any server. We found a flaw in NNTP handling code which may 
cause heap overflow and allow remote attacker to execute arbitrary code on 
client machine.

Bugus function from nsNNTPProtocol.cpp:

char *MSG_UnEscapeSearchUrl (const char *commandSpecificData)
329 {
330     char *result = (char*) PR_Malloc (PL_strlen(commandSpecificData) + 1);
331     if (result)
332     {
333         char *resultPtr = result;
334         while (1)
335         {
336             char ch = *commandSpecificData++;
337             if (!ch)
338                 break;
339             if (ch == '\\')
340             {
341                 char scratchBuf[3];
342                 scratchBuf[0] = (char) *commandSpecificData++;
343                 scratchBuf[1] = (char) *commandSpecificData++;
344                 scratchBuf[2] = '\0';
345                 int accum = 0;
346                 PR_sscanf(scratchBuf, "%X", &accum);
347                 *resultPtr++ = (char) accum;
348             }
349             else
350                 *resultPtr++ = ch;
351         }
352         *resultPtr = '\0';
353     }
354     return result;
355 }

When commandSpecificData points to last (next is NULL) character which 
is '\\' copying loop may omit termination of source char array and overflow 
result buffer.


Exploitation
============

I have attached proof of concept HTML file which causes heap corruption 
and crashes Mozilla 1.7.3 browser (with mozilla-mail). News server must be 
existing and available.



- -- 
Maurycy Prodeus
iSEC Security Research
http://isec.pl/

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)

iD8DBQFBauFTC+8U3Z5wpu4RAnLzAJ49gRC+SpRN93/0r5oHqEoRs1r6GgCgild3
A3te72LQqkW5KjonyD98jSA=
=BnNQ
-----END PGP SIGNATURE-----

*** This bug has been marked as a duplicate of 264388 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 264388]
Product: MailNews → Core
Group: security
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: