Closed Bug 264394 Opened 20 years ago Closed 20 years ago

heap overwrite in NNTP protocol handler

Categories

(MailNews Core :: Networking: NNTP, defect)

Product:
MailNews Core
Component:
Networking: NNTP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 264388

People

(Reporter: dveditz, Assigned: sspitzer)

Details

(Keywords: crash, Whiteboard: [sg:dupe 264388])

Attachments

(1 file)

crashing example (uses a popup)
216 bytes, text/html
Details
sent to security@mozilla.org -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Issue: ====== A critical security vulnerability has been found in Mozilla Project code handling NNTP protocol. Details: ======== Mozilla browser supports NNTP urls. Remote side is able to trigger news:// connection to any server. We found a flaw in NNTP handling code which may cause heap overflow and allow remote attacker to execute arbitrary code on client machine. Bugus function from nsNNTPProtocol.cpp: char *MSG_UnEscapeSearchUrl (const char *commandSpecificData) 329 { 330 char *result = (char*) PR_Malloc (PL_strlen(commandSpecificData) + 1); 331 if (result) 332 { 333 char *resultPtr = result; 334 while (1) 335 { 336 char ch = *commandSpecificData++; 337 if (!ch) 338 break; 339 if (ch == '\\') 340 { 341 char scratchBuf[3]; 342 scratchBuf[0] = (char) *commandSpecificData++; 343 scratchBuf[1] = (char) *commandSpecificData++; 344 scratchBuf[2] = '\0'; 345 int accum = 0; 346 PR_sscanf(scratchBuf, "%X", &accum); 347 *resultPtr++ = (char) accum; 348 } 349 else 350 *resultPtr++ = ch; 351 } 352 *resultPtr = '\0'; 353 } 354 return result; 355 } When commandSpecificData points to last (next is NULL) character which is '\\' copying loop may omit termination of source char array and overflow result buffer. Exploitation ============ I have attached proof of concept HTML file which causes heap corruption and crashes Mozilla 1.7.3 browser (with mozilla-mail). News server must be existing and available. - -- Maurycy Prodeus iSEC Security Research http://isec.pl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFBauFTC+8U3Z5wpu4RAnLzAJ49gRC+SpRN93/0r5oHqEoRs1r6GgCgild3 A3te72LQqkW5KjonyD98jSA= =BnNQ -----END PGP SIGNATURE-----
*** This bug has been marked as a duplicate of 264388 ***
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → DUPLICATE
Whiteboard: [sg:dupe 264388]
Product: MailNews → Core
Group: security
Product: Core → MailNews Core
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: