Mozilla Firefox IDN "Host:" Buffer Overflow

Release Date:
September 8, 2005

Date Reported:
September 4, 2005

Severity:
Critical

Vendor:
Mozilla

Versions Affected:
Firefox Win32 1.0.6 and prior
Firefox Linux 1.0.6 and prior
Firefox 1.5 Beta 1 (Deer Park Alpha 2)

Overview:
A buffer overflow vulnerability exists within Firefox version 1.0.6 and all other prior 
versions which allows for an attacker to remotely execute arbitrary code on a affected 
host.

Technical Details:
The problem seems to be when a hostname which has all dashes causes the NormalizeIDN 
call in nsStandardURL::BuildNormalizedSpec to return true, but is sets encHost to an 
empty string.  Meaning, Firefox appends 0 to approxLen and then appends the long 
string of dashes to the buffer instead.  The following HTML code below will reproduce 
this issue:

<A HREF=https:--------------------------------------------- >

Simple, huh? ;-]

Vendor Status:
Mozilla was notified, and im guessing they are working on a patch. Who knows though?

Discovered by:
Tom Ferris

Related Links:
www.security-protocols.com/firefox-death.html
www.security-protocols.com/advisory/sp-x17-advisory.txt
www.security-protocols.com/modules.php?name=News&file=article&sid=2910
www.evolvesecurity.com

Greetings:
chico, modify, ac1djazz, dmuz, aempirei, Daniel Sergile, tupac shakur, and the rest of the 
angrypacket krew.

Copyright (c) 2005 Security-Protocols.com