SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Browser)  >   Mozilla Browser Vendors:   Mozilla.org
(Gentoo Issues Fix) Mozilla Various Overflows and Scripting Errors May Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1011368
SecurityTracker URL:  http://securitytracker.com/id/1011368
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Sep 21 2004
Impact:   Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 1.7.3
Description:   Several vulnerabilities were reported in Mozilla, Thunderbird, and Firefox. In some of the vulnerabilities, a remote user may be able to execute arbitrary code on the target user's system.

The vendor and various researchers reported ten separate vulnerabilities in Mozilla, Thuderbird, and Firefox.

Georgi Guninski reported a heap overflow vulnerability in 'nsMsgCompUtils.cpp' that may allow a remote user to cause arbitrary code to be executed on the target user's computer [Known security vulnerability #93]. The "send page" function does not properly handle long HTTP URLs. Arbitrary code may be executed if a target user attempts to send an e-mail (such as forwarding a message) that contains a specially crafted link. The original bug report is available at:

http://bugzilla.mozilla.org/show_bug.cgi?id=258005

Wladimir Palant reported that a remote user can create specially crafted javascript code that, when executed by the target user, will be able to access the clipboard on the target user's system [Known security vulnerability #92]. The code can read from and write to the clipboard. The flaw resides in 'nsXBLPrototypeHandler.cpp'.

A demonstration exploit of reading from the clipboard is available at:

http://bugzilla.mozilla.org/attachment.cgi?id=157492&action=view

A demonstration of writing to the clipboard is available at:

http://bugzilla.mozilla.org/attachment.cgi?id=157493&action=view

The original bug report is available at:

http://bugzilla.mozilla.org/show_bug.cgi?id=257523

Jesse Ruderman reported that a remote user can create a signed script that can construct a specially crafted privilege request designed to confuse the target user into granting elevated privileges to the code [Known security vulnerability #91]. The script can invoke enablePrivilege() and supply a parameter containing spaces and English language words to alter the meaning of sentences in the dialog box.

A demonstration exploit is available at:

http://bugzilla.mozilla.org/attachment.cgi?id=154932&action=view

A demonstration exploit screenshot is available at:

http://bugzilla.mozilla.org/attachment.cgi?id=154933&action=view

The original bug report is available at:

http://bugzilla.mozilla.org/show_bug.cgi?id=253942

Georgi Guninski reported that there is a buffer overflow in the processing of VCards [Known security vulnerability #90]. A specially crafted VCard can trigger a stack overflow and execute arbitary code when the VCard is displayed. The flaw resides in 'addrbook/src/nsVCardObj.cpp'.

A demonstration exploit VCard is available at:

http://bugzilla.mozilla.org/attachment.cgi?id=157317&action=view

The original bug report is available at:

http://bugzilla.mozilla.org/show_bug.cgi?id=257314

Gael Delalleau reported an integer overflow in the processing of BMP images [Known security vulnerability #89]. A remote user can create a specially crafted bitmap image that, when loaded by the target user, will trigger the overflow and potentially execute arbitrary code with the privileges of the target user. The original advisory is available at:

http://www.zencomsec.com/advisories/mozilla-1.7.2-BMP.txt

Jesse Ruderman also reported a cross-domain scripting vulnerability [Known security vulnerability #88]. A remote user may be able to create javascript links that, when dragged onto another frame or another page, will execute in the security context of the target location. If the target user drags two links in sequence into a separate window, the code may be able to launch an arbitrary program with the privileges of the target user.

The original bug report is available at:

http://bugzilla.mozilla.org/show_bug.cgi?id=250862

Mats Palmgren and Gael Delalleau reported that a remote user can create a link containing non-ASCII characters in the hostname that, when loaded by the target user, will trigger a heap buffer overflow [Known security vulnerability #87]. It may be possible to execute arbitrary code with the privileges of the target user.

The original advisory is available at:

http://www.zencomsec.com/advisories/mozilla-1.7.2-UTF8link.txt

Gael Delalleau reported that a remote POP3 mail server can send a specially crafted POP3 response to a connected client to trigger a buffer overflow and execute arbitrary code [Known security vulnerability #86].

The advisory is available at:

http://www.zencomsec.com/advisories/mozilla-1.7.2-POP3.txt

The bug reports are available at:

http://bugzilla.mozilla.org/show_bug.cgi?id=245066
http://bugzilla.mozilla.org/show_bug.cgi?id=226669

Daniel Koukola and Andrew Schultz reported that, on Linux systems, the software may install with world-writeable and world-readable permissions [Known security vulnerability #85]. A local user can modify the files.

The original bug reports are available at:

http://bugzilla.mozilla.org/show_bug.cgi?id=231083
http://bugzilla.mozilla.org/show_bug.cgi?id=235781

Harald Milz reported that, on Linux systems, the software may install with incorrect file owner and permission settings if the user ignores their umask setting or has an overly permissive umask setting when expanding the installation archive [Known security vulnerability #84]. A local user may be able to modify the files. The bug report is available at:

http://bugzilla.mozilla.org/show_bug.cgi?id=254303

Impact:   A remote user can execute arbitrary code on the target user's system with the privileges of the target user.

A remote user can run scripting code in the context of an arbitrary domain.

Solution:   Gentoo has released a fix and indicates that all users should upgrade to the latest stable version:

# emerge sync

# emerge -pv your-version
# emerge your-version

Vendor URL:  www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3 (Links to External Site)
Cause:   Access control error, Boundary error
Underlying OS:  Linux (Gentoo)

Message History:   This archive entry is a follow-up to the message listed below.
Sep 16 2004 Mozilla Various Overflows and Scripting Errors May Let Remote Users Execute Arbitrary Code



 Source Message Contents

Subject:  [gentoo-announce] [ GLSA 200409-26 ] Mozilla, Firefox, Thunderbird, Epiphany: New releases


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Gentoo Linux Security Advisory                           GLSA 200409-26
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
                                            http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

  Severity: Normal
     Title: Mozilla, Firefox, Thunderbird, Epiphany: New releases fix
            vulnerabilities
      Date: September 20, 2004
      Bugs: #63996
        ID: 200409-26

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Synopsis
========

New releases of Mozilla, Epiphany, Mozilla Thunderbird, and Mozilla
Firefox fix several vulnerabilities, including the remote execution of
arbitrary code.

Background
==========

Mozilla is a popular web browser that includes a mail and newsreader.
Epiphany is a web browser that uses Gecko, the Mozilla rendering
engine. Mozilla Firefox and Mozilla Thunderbird are respectively the
next-generation browser and mail client from the Mozilla project.

Affected packages
=================

    -------------------------------------------------------------------
     Package                  /  Vulnerable  /              Unaffected
    -------------------------------------------------------------------
  1  mozilla                       < 1.7.3                    >= 1.7.3
  2  mozilla-firefox              < 1.0_pre                 >= 1.0_pre
  3  mozilla-thunderbird            < 0.8                       >= 0.8
  4  mozilla-bin                   < 1.7.3                    >= 1.7.3
  5  mozilla-firefox-bin          < 1.0_pre                 >= 1.0_pre
  6  mozilla-thunderbird-bin        < 0.8                       >= 0.8
  7  epiphany                    < 1.2.9-r1                >= 1.2.9-r1
    -------------------------------------------------------------------
     7 affected packages on all of their supported architectures.
    -------------------------------------------------------------------

Description
===========

Mozilla-based products are vulnerable to multiple security issues.
Firstly routines handling the display of BMP images and VCards contain
an integer overflow and a stack buffer overrun. Specific pages with
long links, when sent using the "Send Page" function, and links with
non-ASCII hostnames could both cause heap buffer overruns.

Several issues were found and fixed in JavaScript rights handling:
untrusted script code could read and write to the clipboard, signed
scripts could build confusing grant privileges dialog boxes, and when
dragged onto trusted frames or windows, JavaScript links could access
information and rights of the target frame or window. Finally,
Mozilla-based mail clients (Mozilla and Mozilla Thunderbird) are
vulnerable to a heap overflow caused by invalid POP3 mail server
responses.

Impact
======

An attacker might be able to run arbitrary code with the rights of the
user running the software by enticing the user to perform one of the
following actions: view a specially-crafted BMP image or VCard, use the
"Send Page" function on a malicious page, follow links with malicious
hostnames, drag multiple JavaScript links in a row to another window,
or connect to an untrusted POP3 mail server. An attacker could also use
a malicious page with JavaScript to disclose clipboard contents or
abuse previously-given privileges to request XPI installation
privileges through a confusing dialog.

Workaround
==========

There is no known workaround covering all vulnerabilities.

Resolution
==========

All users should upgrade to the latest stable version:

    # emerge sync

    # emerge -pv your-version
    # emerge your-version

References
==========

  [ 1 ] Mozilla Security Advisory

http://www.mozilla.org/projects/security/known-vulnerabilities.html#mozilla1.7.3
  [ 2 ] US-CERT Security Alert TA04-261A
        http://www.us-cert.gov/cas/techalerts/TA04-261A.html

Availability
============

This GLSA and any updates to it are available for viewing at
the Gentoo Security Website:

  http://security.gentoo.org/glsa/glsa-200409-26.xml

Concerns?
=========

Security is a primary focus of Gentoo Linux and ensuring the
confidentiality and security of our users machines is of utmost
importance to us. Any security concerns should be addressed to
security@gentoo.org or alternatively, you may file a bug at
http://bugs.gentoo.org.

License
=======

Copyright 2004 Gentoo Foundation, Inc; referenced text
belongs to its owner(s).

The contents of this document are licensed under the
Creative Commons - Attribution / Share Alike license.

http://creativecommons.org/licenses/by-sa/1.0

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBT0MJvcL1obalX08RAo0VAKCJut9PsDZ+w7+rmTBe4QBSsMwLDACfZ0fN
sdTphivV2rgS3nbS4wC416Y=
=O5VM
-----END PGP SIGNATURE-----

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC