Vulnerability Note VU#573857

Mozilla-based browsers contain a buffer overflow in handling URIs containing a malformed IDN hostname

Original Release date: 09 Sep 2005 | Last revised: 23 Sep 2005

Overview

A vulnerability in the way Mozilla products and derivative programs handle certain malformed URIs could allow a remote attacker to execute arbitrary code on a vulnerable system.

Description

Mozilla products, including the Mozilla Suite, and Mozilla Firefox are vulnerable to a buffer overflow in the way they handle URIs containing certain IDN encoded hostnames. An error in the conversion of a hostname consisting of Unicode "soft hyphen" characters (U+00AD) to the UTF-8 character set will cause a buffer overflow. By convincing a user to view an HTML document (e.g., via a web page or email message), an attacker could execute arbitrary code with the privileges of the user running the vulnerable application.

Note: Exploit code for this vulnerability is publicly available.

Impact

A remote attacker may be able to execute arbitrary code on a vulnerable system. The code would be executed in the context of the user running the vulnerable browser. In some instances, exploitation may only cause the browser to crash, resulting in a denial of service.

Solution

Upgrade

The Mozilla project has released version 1.0.7 of the Firefox web browser which includes a patch for this issue. Firefox users are encouraged to upgrade to this version of the software.

The Mozilla project has also released version 1.7.12 of the Mozilla Suite product which includes a patch for this issue. Mozilla Suite users are encouraged to upgrade to this version of the software.

Workarounds


Disable the use of IDN

Mozilla and Firefox users are encouraged to consider disabling IDN. While implementing this workaround does not correct the buffer overflow error, it prevents the vulnerable portion of code from being exploited. This can be accomplished by adding the following line to the prefs.js file:

user_pref("network.enableIDN", false);

or by following these steps:

  1. Open the browser, type about:config into the location bar, and hit enter.
  2. In the "Filter" dialog box, enter "network.enableIDN" (without the quotation marks) and hit enter.
  3. A single Preference Name should appear in the results.
  4. Double-click on the result. In Firefox, this will toggle the value from true to false. In Mozilla, this will open a dialog box titled "Enter boolean value." Enter "false" into this box and hit enter.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Fedora ProjectAffected-19 Sep 2005
Gentoo LinuxAffected-19 Sep 2005
Mozilla, Inc.Affected09 Sep 200509 Sep 2005
Red Hat, Inc.Affected-16 Sep 2005
UbuntuAffected-16 Sep 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This vulnerability was reported by Tom Ferris.

This document was written by Chad Dougherty and Will Dormann.

Other Information

  • CVE IDs: CAN-2005-2871
  • Date Public: 09 Sep 2005
  • Date First Published: 09 Sep 2005
  • Date Last Updated: 23 Sep 2005
  • Severity Metric: 19.12
  • Document Revision: 24

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.