Bug 67168 (CVE-2005-0402)

Summary: VUL-0: CVE-2005-0402: Mozilla Heap Corruption Design Error
Product: [Novell Products] SUSE Security Incidents Reporter: Sebastian Krahmer <krahmer>
Component: IncidentsAssignee: Wolfgang Rosenauer <wolfgang.rosenauer>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVE-2005-0402: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N) CVSSv2:NVD:CVE-2005-0255:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Sebastian Krahmer 2005-03-02 12:24:16 UTC 
Date: Mon, 28 Feb 2005 10:42:14 -0500
From: iDEFENSE Labs <labs-no-reply@idefense.com>
To: bugtraq@securityfocus.com, vulnwatch@vulnwatch.org
Subject: iDEFENSE Security Advisory 02.28.05: Mozilla Firefox and Mozilla
    Browser Out Of Memory Heap Corruption Design Error
Resent-Date: Wed, 2 Mar 2005 12:36:31 +0100
Resent-From: meissner@suse.de
Resent-To: Sebastian Krahmer <krahmer@suse.de>

Mozilla Firefox and Mozilla Browser Out Of Memory Heap Corruption Design 
Error

iDEFENSE Security Advisory 02.28.05
www.idefense.com/application/poi/display?id=200&type=vulnerabilities
February 28, 2005

I. BACKGROUND

Mozilla is an open-source web browser, designed for standards 
compliance, performance and portability. Further information about the 
browser is available at:

    http://www.mozilla.org

II. DESCRIPTION

Remote exploitation of a design error in Mozilla 1.7.3 and Firefox 1.0 
may allow an attacker to cause heap corruption, resulting in execution 
of arbitrary code.

The vulnerability specifically exists in string handling functions, 
such as nsCSubstring::Append, which rely on functions in the file 
mozilla/xpcom/string/src/nsTSubstring.cpp. Certain functions, such as 
nsTSubstring_CharT::Replace() fail to check the return value of
functions which resize the string.

xpcom/string/src/nsTSubstring.cpp:

[1] size_type length = tuple.Length();

    cutStart = PR_MIN(cutStart, Length());

[2] ReplacePrep(cutStart, cutLength, length);

[3] if (length > 0)
      tuple.WriteTo(mData + cutStart, length);

At [1], length is set to the length of the string to be copied, which
is the passed to ReplacePrep() at [2]. If the reallocation performed by
this function fails sets mData to a fixed address.

            mData = NS_CONST_CAST(char_type*, char_traits::sEmptyBuffer);
            mLength = 0;

The value of sEmptyBuffer is set in xpcom/string/src/nsSubstring.cpp:

static const PRUnichar gNullChar = 0;

const char*      nsCharTraits<char>     ::sEmptyBuffer = (const char*)
&gNullChar;

As the return value is not checked, if the function fails mData is
pointing at a known memory location. By causing memory to be consumed
until an out of memory condition occurs, and controlling the value of
the string to append, it is possible at [3] to cause arbitrary data to
be placed is a known location, allowing execution of arbitrary code.

This vulnerability would rely on both knowing the version of the
browser, which could be obtained from the User-Agent string passed to a
malicious server, and being able to cause memory exhaustion. It may be
possible to cause memory exhaustion remotely by either sending a large
amount of data to the client in the headers, which would require a large
amount of bandwidth or by using compression to reduce the amount of data
that needs to be sent to the client, either via a server module like the
Apache httpd mod_deflate, or a file such as a ZIP file referenced by a
jar: URI. It also may be possible to use a javascript to allocate enough
memory to trigger this vulnerability.

As this vulnerability is triggered in an out of memory condition, it may
be easier to exploit on systems which have restricted the amount of
memory a user or process may use.

III. ANALYSIS

Remote exploitation of this vulnerability may allow execution of 
arbitrary code with the privileges of the logged in user. A failed 
exploitation attempt may result in the browser crashing.

IV. DETECTION

iDEFENSE Labs have confirmed The Mozilla Organization's Mozilla 1.7.1 
and 1.7.3, as well as Firefox 0.10.1 are vulnerable to this
issue. A check on the source code for Firefox 1.0 suggests it is also
vulnerable. It is suspected that all previous versions of both browsers
are vulnerable.

V. WORKAROUND

iDEFENSE is currently unaware of any effective workarounds for this 
vulnerability.

VI. VENDOR RESPONSE

Vendor advisory:
   http://www.mozilla.org/security/announce/mfsa2005-18.html

Raw bug report:
   https://bugzilla.mozilla.org/show_bug.cgi?id=277549

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
names CAN-2005-0255 to these issues. This is a candidate for inclusion
in the CVE list (http://cve.mitre.org), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

02/09/2005  Initial vendor notification
02/09/2005  Initial vendor response
02/28/2005  Coordinated public disclosure

IX. CREDIT

Gaël Delalleau is credited with discovering this vulnerability.

Get paid for vulnerability research
http://www.idefense.com/poi/teams/vcp.jsp

Free tools, research and upcoming events
http://labs.idefense.com

X. LEGAL NOTICES

Copyright © 2005 iDEFENSE, Inc.

Permission is granted for the redistribution of this alert
...
Comment 1 Marcus Meissner 2005-03-02 12:56:57 UTC 
move out of secinternal (is public)
Comment 2 Wolfgang Rosenauer 2005-03-02 13:04:23 UTC 
please give me a priorization of this issue and for which distributions you want
updates. Thanks.
Comment 3 Wolfgang Rosenauer 2005-03-04 06:59:42 UTC 
JFI: STABLE is fixed already
Comment 4 Sebastian Krahmer 2005-03-07 14:16:13 UTC 
Will have a look.
Comment 5 Sebastian Krahmer 2005-03-07 14:21:34 UTC 
Ehm, where can we make updates without a major of hassle?
Maybe combined with that .ico bug?
Prefered would be complete update for all SL/SLES versions.
Comment 6 Wolfgang Rosenauer 2005-03-10 11:59:51 UTC 
the fix for this is included in the submitted Firefox packages for 9.0, 9.1, 9.2
and NLD now.

mozilla and thunderbird is still missing
Comment 7 Marcus Meissner 2005-03-16 16:50:11 UTC 
firefox updates released.
Comment 8 Sebastian Krahmer 2005-03-22 09:59:58 UTC 
Is this

MFSA 2005-30 CAN-2005-0399
MFSA 2005-31 CAN-2005-0402
MFSA 2005-32 CAN-2005-0401


?
Comment 9 Wolfgang Rosenauer 2005-03-29 08:10:59 UTC 
the advisory says it's:
Vendor advisory:
   http://www.mozilla.org/security/announce/mfsa2005-18.html
Comment 10 Ihno Krumreich 2005-04-13 08:25:06 UTC 
Status ?
Comment 11 Wolfgang Rosenauer 2005-04-13 08:47:46 UTC 
we are waiting for some more security bugs fixed from mozilla.org. They will
deliver mozilla 1.7.7 and firefox 1.0.3 soon and we will update our packages
when it happened.
Comment 12 Marcus Meissner 2005-04-27 16:09:22 UTC 
most mozillas released now
Comment 13 Thomas Biege 2009-10-13 21:08:59 UTC 
CVE-2005-0402: CVSS v2 Base Score: 2.6 (AV:N/AC:H/Au:N/C:N/I:P/A:N)