Signature Detail

HTTP: Mozilla NNTP URL Handling Buffer Overflow

A vulnerability has been reported in the way the Mozilla browser handles NNTP URLs. Due to insufficient input validation, a specially crafted URI using the scheme news:// can overflow a heap buffer. By enticing a user to follow a specially crafted NNTP URI, an attacker can remotely exploit this vulnerability in a way that allows for code injection and execution with the privileges of the currently logged in user. In a simple exploit attempt, an instance of a vulnerable Mozilla browser will open a connection with the server listening at the address and the port provided in the specially crafted news:// URI. When the vulnerable function is called to process the commands embedded in the URI, the application will terminate with a memory access violation error. In a more sophisticated attack case, the process flow can be diverted allowing for arbitrary code execution. In such a case, the behaviour of the target is dependent on the nature of the injected code.

Extended Description

A remote heap-overflow vulnerability affects Mozilla Browser's network news transport protocol (NNTP) functionality. This issue is due to the application's failure to properly validate the length of user-supplied strings before copying them into dynamically allocated process buffers. An attacker may exploit this issue to execute arbitrary code with the privileges of the user that activated the vulnerable application. This may facilitate unauthorized access or privilege escalation.

Affected Products

• HP HP-UX B.11.00
• HP HP-UX B.11.11
• HP HP-UX B.11.22
• HP HP-UX B.11.23
• Mozilla Browser 1.0.0
• Mozilla Browser 1.0.1
• Mozilla Browser 1.0.2
• Mozilla Browser 1.1.0
• Mozilla Browser 1.2.0
• Mozilla Browser 1.2.1
• Mozilla Browser 1.3.0
• Mozilla Browser 1.3.1
• Mozilla Browser 1.4.0
• Mozilla Browser 1.4.0 A
• Mozilla Browser 1.4.0 B
• Mozilla Browser 1.4.1
• Mozilla Browser 1.4.2
• Mozilla Browser 1.5.0
• Mozilla Browser 1.5.1
• Mozilla Browser 1.6.0
• Mozilla Browser 1.7.0
• Mozilla Browser 1.7.0 Rc1
• Mozilla Browser 1.7.0 Rc2
• Mozilla Browser 1.7.0 Rc3
• Mozilla Browser 1.7.1
• Mozilla Browser 1.7.2
• Mozilla Browser 1.7.3
• Mozilla Thunderbird 0.6.0
• Mozilla Thunderbird 0.7.0
• Mozilla Thunderbird 0.7.1
• Mozilla Thunderbird 0.7.2
• Mozilla Thunderbird 0.7.3
• Mozilla Thunderbird 0.8.0
• Red Hat Fedora Core1
• Red Hat Fedora Core2
• Red Hat Linux 7.3.0
• Red Hat Linux 7.3.0 I386
• Red Hat Linux 7.3.0 I686
• Red Hat Linux 9.0.0 I386
• SGI ProPack 3.0.0
• SuSE Linux 8.0.0
• SuSE Linux 8.0.0 i386
• SuSE Linux 8.1.0
• SuSE Linux Personal 10.0.0 OSS
• SuSE Linux Personal 8.2.0
• SuSE Linux Personal 9.0.0
• SuSE Linux Personal 9.0.0 X86 64
• SuSE Linux Personal 9.1.0
• SuSE Linux Personal 9.1.0 X86 64
• SuSE Linux Personal 9.2.0
• SuSE Linux Personal 9.2.0 X86 64
• SuSE Linux Personal 9.3.0
• SuSE Linux Personal 9.3.0 X86 64
• SuSE Linux Professional 10.0.0
• SuSE Linux Professional 10.0.0 OSS
• SuSE Linux Professional 9.1.0
• SuSE Linux Professional 9.1.0 X86 64
• SuSE Linux Professional 9.2.0
• SuSE Linux Professional 9.2.0 X86 64
• SuSE Linux Professional 9.3.0
• SuSE Linux Professional 9.3.0 X86 64

References

• BugTraq: 12131
• CVE: CVE-2004-1316