New History.dat Buffer Overflow code for FF1.5 released

Firefox, Thunderbird, SeaMonkey, Camino, Mozilla, Netscape 6/7/8/9, and all Gecko-based browsers discussion and support forum. (MozInfo701, Netscape Browser Archive)

Moderators: Fulvio, profman, Ramona, Antony, Edward

Post a reply

New History.dat Buffer Overflow code for FF1.5 released

Postby J-M » Wed 07 Dec, 2005 9:56 pm

Details at
http://isc.sans.org/diary.php?storyid=920

"First Vulnerability for Firefox 1.5 (released version) Announced - PoC available"
Packetstorm Security has released proof of concept code that causes a buffer overflow and denial of service on the Firefox browser. Long and short of it is, history.dat stores various pieces of information on websites you've visited. If the topic of a page is crafted to be long enough, it will crash the browser each time it is started after going to such a page. This vulnerability has been tested and does work, and no known patches are available at this time. Once this happens, firefox will be unable to be started until you erase the history.dat file manually.

I have just sent a link to Mozilla.org profile location documentation to help the history.dat deleting process if there is need to test a PoC. This link is located at Internet Storm Center's Diary page. :)
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.12) Gecko/20050919 Firefox/1.0.7
User avatar
J-M
diamond member
diamond member
 
Posts: 815
Joined: Sun 25 Jul, 2004 9:16 am
Location: Helsinki, Finland
Top

Postby DJGM » Wed 07 Dec, 2005 10:43 pm

Looks like Mozilla Firefox 1.5.1 is going to be coming soon then. Although I didn't think a security
vulnerability would be found in Firefox 1.5, barely 2 weeks after the new upgrade went "gold".
Mind you, I'm sure that hardly anyone else expected a hole to be found so soon either

Eitherway, this should be a good test of how well the new auto-update feature works.

The following is quoted from the link J-M posted:
POSSIBLE WORKAROUND

However, the following is a workaround that should work
(if it doesn't let me know). Go to Tools -> Options.

Select the Privacy Icon, and then the History tab. Set the number
of days to save pages at 0.This will disable writing anything to
history.dat as far as I can tell, and should nullify the exploit.

UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.7.12) Gecko/20050915
SeaMonkey = Swiss Army Knife: It's versatile, reliable, and contains useful tools.
Windows Internet Explorer = Old Swiss Cheese: Full of holes, and it stinks!
User avatar
DJGM
diamond member
diamond member
 
Posts: 4630
Joined: Wed 19 Jun, 2002 1:03 pm
Location: Manchester, England, UK
Top

Postby J-M » Thu 08 Dec, 2005 8:43 am

This is new
http://secunia.com/advisories/17934/

now, at Low criticality level.

They say

Solution:
Configure Firefox to clear history information when closing the browser. This affects functionality.
Tools -> Options... --> Privacy --> Settings...

as a workaround.
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.12) Gecko/20050919 Firefox/1.0.7
User avatar
J-M
diamond member
diamond member
 
Posts: 815
Joined: Sun 25 Jul, 2004 9:16 am
Location: Helsinki, Finland
Top

Postby J-M » Thu 08 Dec, 2005 10:36 am

Reportedly Mac users are not affected to this.

Bugzilla folk says Linux versions are affected, however.

Any Mac users here to confirm this?
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.12) Gecko/20050919 Firefox/1.0.7
User avatar
J-M
diamond member
diamond member
 
Posts: 815
Joined: Sun 25 Jul, 2004 9:16 am
Location: Helsinki, Finland
Top

Postby DJGM » Thu 08 Dec, 2005 3:32 pm

Is only Firefox subject to this bug, or are any of the other Gecko based browsers affected?
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.7.12) Gecko/20050915
SeaMonkey = Swiss Army Knife: It's versatile, reliable, and contains useful tools.
Windows Internet Explorer = Old Swiss Cheese: Full of holes, and it stinks!
User avatar
DJGM
diamond member
diamond member
 
Posts: 4630
Joined: Wed 19 Jun, 2002 1:03 pm
Location: Manchester, England, UK
Top

Postby J-M » Thu 08 Dec, 2005 6:25 pm

DJGM wrote:Is only Firefox subject to this bug, or are any of the other Gecko based browsers affected?


There are some reports Mozilla Suite 1.7.12 being affected, and I have confirmed Netscape 8.0.4/7.2 and K-Meleon with old Suite codebase as affectged. Naturally, AOL and K-Meleon developer team was informed first.

Some sources say FF in Linux is affected, some other say it's not.

Some interesting reading too:

https://bugzilla.mozilla.org/show_bug.cgi?id=319004
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.12) Gecko/20050919 Firefox/1.0.7
User avatar
J-M
diamond member
diamond member
 
Posts: 815
Joined: Sun 25 Jul, 2004 9:16 am
Location: Helsinki, Finland
Top

Postby J-M » Thu 08 Dec, 2005 7:49 pm

And now Mozilla.org has a new response with new protection instructions published recently at:
http://www.mozilla.org/security/history-title.html

They have mentioned Mozilla Suite too.
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.12) Gecko/20050919 Firefox/1.0.7
User avatar
J-M
diamond member
diamond member
 
Posts: 815
Joined: Sun 25 Jul, 2004 9:16 am
Location: Helsinki, Finland
Top

Re: New History.dat Buffer Overflow code for FF1.5 released

Postby Antony » Thu 08 Dec, 2005 8:19 pm

J-M wrote:
(...) If the topic of a page is crafted to be long enough, it will crash the browser each time it is started after going to such a page.

Just a long title for the page would crash Firefox? That's so easy. :-(
UserAgent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8) Gecko/20051107 Camino/1.0b1
User avatar
Antony
diamond member
diamond member
 
Posts: 14953
Joined: Tue 18 Jun, 2002 11:36 pm
Location: Sydney, Australia
Top

Postby J-M » Fri 09 Dec, 2005 7:22 am

New security advisory about the latest Mozilla Suite 1.7.12:

http://secunia.com/advisories/17944/

and about Netscape 8.0.4:

http://secunia.com/advisories/17946/

Edited to add NS advisory URL
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.12) Gecko/20050919 Firefox/1.0.7
Last edited by J-M on Fri 09 Dec, 2005 9:42 am, edited 1 time in total.
User avatar
J-M
diamond member
diamond member
 
Posts: 815
Joined: Sun 25 Jul, 2004 9:16 am
Location: Helsinki, Finland
Top

Postby J-M » Wed 25 Jan, 2006 5:31 pm

Netscape Browser 8.1 update fixes this issue.

I have confirmed this with generated online PoC test link.
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.12) Gecko/20050919 Firefox/1.0.7
User avatar
J-M
diamond member
diamond member
 
Posts: 815
Joined: Sun 25 Jul, 2004 9:16 am
Location: Helsinki, Finland
Top

Postby J-M » Thu 26 Jan, 2006 4:23 pm

Bugtraq vulnerability database lists Netscape 8.1 as immune now at

http://www.securityfocus.com/bid/15773/solution
UserAgent: Mozilla/5.0 (Windows; U; Windows NT 5.0; fi-FI; rv:1.7.12) Gecko/20050919 Firefox/1.0.7
User avatar
J-M
diamond member
diamond member
 
Posts: 815
Joined: Sun 25 Jul, 2004 9:16 am
Location: Helsinki, Finland
Top
Post a reply
Return to Firefox, SeaMonkey and Netscape

Who is online

Registered users: Bing [Bot], Google [Bot]
Powered by phpBB® Forum Software © phpBB Group All messages posted in this forum do not necessarily represent SillyDog701 (SD701). This forum is operated by Antony Shen. All rights reserved. Copyright Notice. Privacy Statement.