SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Web Browser)  >  Mozilla Firefox Vendors:  Mozilla.org
Mozilla Firefox BMP Handling Bug Lets Remote Users Access Portions of Kernel Memory
SecurityTracker Alert ID:  1019434
SecurityTracker URL:  http://securitytracker.com/id?1019434
CVE Reference:  CVE-2008-0420   (Links to External Site)
Date:  Feb 19 2008
Impact:  Disclosure of system information, Disclosure of user information
Fix Available:  Yes   Vendor Confirmed:  Yes  
Advisory:  Mozilla Foundation Security Advisory
Version(s): prior to 2.0.0.12
Description:  A vulnerability was reported in Mozilla Firefox. A remote user can view portions of kernel memory.

A remote user create a specially crafted BMP file that, when loaded by the target user, will access uninitialized kernel memory.

The information can be extracted using certain <canvas> methods.

Gynvael Coldwind reported this vulnerability.
Impact:  A remote user can view portions of kernel memory.
Solution:  The vendor has issued a fix (2.0.0.12).

The Mozilla advisory is available at:

http://www.mozilla.org/security/announce/2008/mfsa2008-07.html
Vendor URL:  www.mozilla.org/security/announce/2008/mfsa2008-07.html (Links to External Site)
Cause:  Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Reported By:  "Gynvael Coldwind" <gynvael@vexillium.org>
Message History:   None.

 Source Message Contents
Date:  Sat, 16 Feb 2008 17:16:24 +0100
From:  "Gynvael Coldwind" <gynvael@vexillium.org>
Subject:  [HISPASEC] FireFox 2.0.0.11 and Opera 9.50 beta Remote Memory Information Leak, FireFox 2.0.0.11 Remote Denial of Service

 
(see video link at the bottom ;>)

* Name   : FireFox 2.0.0.11 and Opera 9.50 beta Remote Memory Information Leak
*        : FireFox 2.0.0.11 Remote Denial of Service
* Type   : Remote Information Disclosure
* Impact : Medium / High
* Credits: Gynvael Coldwind / Hispasec / Team Vexillium
* Special thanks to udevd and porneL

* Brief

Opera and FireFox contains vulnerable code for handling BMP files with
partial palette. The code allows to craft a BMP file that leaks
information from the heap. This information can be sent to remote
server using canvas tag (HTML 5) and javascript.

Also other browser (for example Apple Safari) contain vulnerable BMP
handling code, but since there is no way of acquiring the image data
(due to not all canvas method being implemented), it doesn't pose a
serious threat (hmm... then again, maybe the attacker could convince
the user to do a screenshot and send it to the attacker :)
As a matter of fact Apple Safari has a simillar problem with certain
GIF files.


* Verbose

The BMP format has a field in the BITMAPINFOHEADER named biClrUsed,
the field says how many colors does the palette contain. If this field
is 0, then 256 color palette is used. When this field is not 0, the
palette has the given number of colors.

Both browsers either allocate to just the "right" amount of memory
(using the equation biClrUsed * sizeof(RGB)), or forget to zero the
allocated palette.
In this case, if a color from the upper (non existing or not zeroed)
part of the palette is used, soem information is copied to the screen
as a colorful pixel.

If the attacker creates a BMP file with biClrUser = 0, and fills it
with gradient, from 0 to 255: 00 01 02 03 04 05 ... and so on, the
displayed BMP will in fact copy the palette to the screen, which of
course means that it copies the data lying on the heap to the screen.

The attacker could also use HTML 5 tag canvas to aquire pixel
color information from the bitmap, and then use javascript to post it
to a remote server.

The harvested data contains various information including parts of
other websites, users "favorites" and history, and other information.

This has been tested, a proof of concept exploit has been created, but
will not yet be released.


* Versions affected and vendor status

FireFox 2.0.0.11 and prior that support canvas.getImageData or any
other method to aquire image data are affected.
The vendor was informed and has released a non vulnerable version
of the application - 2.0.0.12.

Opera 9.24 is not affected due to not supporting canvas.getImageData.
The newer beta versions are affected (9.50 beta).
The vendor was informed and has released a non vulnerable version
of the application - 9.25.

Other vendors were also informed.


* Additional info

FireFox 2.0.0.11 may crash when using this vulnerability due to
heap boundary error (read access violation). So it is possible to
remotly crash the browser.


* Video demonstration

A video demonstration of the vulnerability can be found on the
following sites:

http://blog.hispasec.com/lab/
http://vexillium.org/?sec-ff


* Disclaimer

This document and all the information it contains is provided "as is",
without any warranty. The author is not responsible for the
misuse of the information provided in this advisory. The advisory is
provided for educational purposes only.

Permission is hereby granted to redistribute this advisory, providing
that no changes are made and that the copyright notices and
disclaimers remain intact.

-- 
gynvael.coldwind//vx
Hispasec


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2007, SecurityGlobal.net LLC