PC-GUY
1
Mozilla 1.7.5
NNTP Security Flaw in Mozilla 1.7.3 and Below
Friday December 31st, 2004
Jonik writes: "A security vulnerability has been found that affects Mozilla 1.7.3 and earlier versions. Apparently there is a flaw in the NNTP handling code which may cause heap overflow and allow remote attacker to execute arbitrary code." All the latest Mozilla versions are immune but there also appears to be some dispute as to whether this vulnerability was ever practically exploitable in the first place.
More info.
Mozilla Browser NNTP Heap Overflow
<excerpt>A critical security vulnerability has been found in Mozilla Project code handling NNTP protocol</excerpt>. Credit: The information has been provided by Maurycy Prodeus.
<script type="text/javascript"><!-- google_ad_client = "pub-3737465190479974"; google_ad_width = 234; google_ad_height = 60; google_ad_format = "234x60_as"; google_ad_channel ="9066022981"; google_color_border = "CCCCCC"; google_color_bg = "FFFFFF"; google_color_link = "000000"; google_color_url = "666666"; google_color_text = "333333"; //--></script> <script type=\"\"\"\"\"\"text/javascript\"\"\"\"\"\" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> </script><iframe name=\"\"\"\"\"\"google_ads_frame\"\"\"\"\"\" src="http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-3737465190479974&dt=1104777047036&lmt=1104777046&prev_fmts=120x600_as&format=234x60_as&output=html&channel=9066022981&url=http%3A%2F%2Fsecurity-protocols.com%2Fmodules.php%3Fname%3DNews%26file%3%20%20%20%20Darticle%26sid%3D2367&color_bg=FFFFFF&color_text=333333&color_link=000000&color_url=666666&color_border=CCCCCC&ref=http%3A%2F%2Fsecurity-protocols.com%2Fmodules.php%3Fname%3DNews%26new_to%20%20%20%20pic%3D31&u_h=768&u_w=1024&u_ah=768&u_aw=1024&u_cd=32&u_tz=-300&u_his=3&u_java=true&u_nplug=20&u_nmime=56" marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true" frameborder="0" height="60" scrolling="no" width="234"><im</iframe>
Vulnerable Systems:
* Mozilla Browser version 1.7.3 and prior with mozilla-mail
Immune Systems:
* Mozilla Browser version 1.7.5 or newer
Mozilla browser supports NNTP URLs. Remote side is able to trigger news:// connection to any server. Maurycy found a flaw in NNTP handling code which may cause heap overflow and allow remote attacker to execute arbitrary code on client machine.
Bugus function from nsNNTPProtocol.cpp:
char *MSG_UnEscapeSearchUrl (const char *commandSpecificData)
329 {
330 char *result = (char*) PR_Malloc (PL_strlen(commandSpecificData) + 1);
331 if (result)
332 {
333 char *resultPtr = result;
334 while (1)
335 {
336 char ch = *commandSpecificData++;
337 if (!ch)
338 break;
339 if (ch == '')
340 {
341 char scratchBuf[3];
342 scratchBuf[0] = (char) *commandSpecificData++;
343 scratchBuf[1] = (char) *commandSpecificData++;
344 scratchBuf[2] = '
NNTP Security Flaw in Mozilla 1.7.3 and Below
Friday December 31st, 2004
Jonik writes: "A security vulnerability has been found that affects Mozilla 1.7.3 and earlier versions. Apparently there is a flaw in the NNTP handling code which may cause heap overflow and allow remote attacker to execute arbitrary code." All the latest Mozilla versions are immune but there also appears to be some dispute as to whether this vulnerability was ever practically exploitable in the first place.
More info.
Mozilla Browser NNTP Heap Overflow
<excerpt>A critical security vulnerability has been found in Mozilla Project code handling NNTP protocol</excerpt>. Credit: The information has been provided by Maurycy Prodeus.
<script type="text/javascript"><!-- google_ad_client = "pub-3737465190479974"; google_ad_width = 234; google_ad_height = 60; google_ad_format = "234x60_as"; google_ad_channel ="9066022981"; google_color_border = "CCCCCC"; google_color_bg = "FFFFFF"; google_color_link = "000000"; google_color_url = "666666"; google_color_text = "333333"; //--></script> <script type=\"\"\"\"\"\"text/javascript\"\"\"\"\"\" src="http://pagead2.googlesyndication.com/pagead/show_ads.js"> </script><iframe name=\"\"\"\"\"\"google_ads_frame\"\"\"\"\"\" src="http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-3737465190479974&dt=1104777047036&lmt=1104777046&prev_fmts=120x600_as&format=234x60_as&output=html&channel=9066022981&url=http%3A%2F%2Fsecurity-protocols.com%2Fmodules.php%3Fname%3DNews%26file%3%20%20%20%20Darticle%26sid%3D2367&color_bg=FFFFFF&color_text=333333&color_link=000000&color_url=666666&color_border=CCCCCC&ref=http%3A%2F%2Fsecurity-protocols.com%2Fmodules.php%3Fname%3DNews%26new_to%20%20%20%20pic%3D31&u_h=768&u_w=1024&u_ah=768&u_aw=1024&u_cd=32&u_tz=-300&u_his=3&u_java=true&u_nplug=20&u_nmime=56" marginwidth="0" marginheight="0" vspace="0" hspace="0" allowtransparency="true" frameborder="0" height="60" scrolling="no" width="234"><im</iframe>
Vulnerable Systems:
* Mozilla Browser version 1.7.3 and prior with mozilla-mail
Immune Systems:
* Mozilla Browser version 1.7.5 or newer
Mozilla browser supports NNTP URLs. Remote side is able to trigger news:// connection to any server. Maurycy found a flaw in NNTP handling code which may cause heap overflow and allow remote attacker to execute arbitrary code on client machine.
Bugus function from nsNNTPProtocol.cpp:
char *MSG_UnEscapeSearchUrl (const char *commandSpecificData)
329 {
330 char *result = (char*) PR_Malloc (PL_strlen(commandSpecificData) + 1);
331 if (result)
332 {
333 char *resultPtr = result;
334 while (1)
335 {
336 char ch = *commandSpecificData++;
337 if (!ch)
338 break;
339 if (ch == '')
340 {
341 char scratchBuf[3];
342 scratchBuf[0] = (char) *commandSpecificData++;
343 scratchBuf[1] = (char) *commandSpecificData++;
344 scratchBuf[2] = '
