search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Mozilla-based browsers contain a buffer overflow in handling URIs containing a malformed IDN hostname

Vulnerability Note VU#573857

Original Release Date: 2005-09-09 | Last Revised: 2005-09-23

Overview

A vulnerability in the way Mozilla products and derivative programs handle certain malformed URIs could allow a remote attacker to execute arbitrary code on a vulnerable system.

Description

Mozilla products, including the Mozilla Suite, and Mozilla Firefox are vulnerable to a buffer overflow in the way they handle URIs containing certain IDN encoded hostnames. An error in the conversion of a hostname consisting of Unicode "soft hyphen" characters (U+00AD) to the UTF-8 character set will cause a buffer overflow. By convincing a user to view an HTML document (e.g., via a web page or email message), an attacker could execute arbitrary code with the privileges of the user running the vulnerable application.

Note: Exploit code for this vulnerability is publicly available.

Impact

A remote attacker may be able to execute arbitrary code on a vulnerable system. The code would be executed in the context of the user running the vulnerable browser. In some instances, exploitation may only cause the browser to crash, resulting in a denial of service.

Solution

Upgrade

The Mozilla project has released version 1.0.7 of the Firefox web browser which includes a patch for this issue. Firefox users are encouraged to upgrade to this version of the software.

The Mozilla project has also released version 1.7.12 of the Mozilla Suite product which includes a patch for this issue. Mozilla Suite users are encouraged to upgrade to this version of the software.

Workarounds


Disable the use of IDN

Mozilla and Firefox users are encouraged to consider disabling IDN. While implementing this workaround does not correct the buffer overflow error, it prevents the vulnerable portion of code from being exploited. This can be accomplished by adding the following line to the prefs.js file:

user_pref("network.enableIDN", false);

or by following these steps:

    1. Open the browser, type about:config into the location bar, and hit enter.
    2. In the "Filter" dialog box, enter "network.enableIDN" (without the quotation marks) and hit enter.
    3. A single Preference Name should appear in the results.
    4. Double-click on the result. In Firefox, this will toggle the value from true to false. In Mozilla, this will open a dialog box titled "Enter boolean value." Enter "false" into this box and hit enter.

    Vendor Information

    573857
     
    Affected   Unknown   Unaffected

    Fedora Project

    Updated:  September 19, 2005

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The Fedora Project has release the following update notifications in response to this issue:

    Users are encouraged to review these notices and apply the appropriate patches that they refer to.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Gentoo Linux

    Updated:  September 19, 2005

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The Gentoo Linux security team has published Gentoo Linux Security Advisory GLSA 200509-11 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Mozilla, Inc.

    Notified:  September 09, 2005 Updated:  September 09, 2005

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The Mozilla Foundation Security Team has published preliminary solution information in the following document:

    Red Hat, Inc.

    Updated:  September 16, 2005

    Status

      Vulnerable

    Vendor Statement

    This issue affects the Firefox browser as shipped in Red Hat Enterprise
    Linux 4, and the Mozilla browser in Red Hat Enterprise Linux 2.1, 3, and
    4.  Updated Firefox and Mozilla packages to correct this issue are
    available at the URL below and by using the Red Hat Network 'up2date'
    tool.

    http://rhn.redhat.com/errata/CAN-2005-2871.html

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Ubuntu

    Updated:  September 16, 2005

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The Ubuntu Linux security team has published Ubuntu Security Notice USN-181-1 in response to this issue. Users are encouraged to review this notice and apply the patches that it refers to.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.


    CVSS Metrics

    Group Score Vector
    Base N/A N/A
    Temporal N/A N/A
    Environmental N/A

    References

    Acknowledgements

    This vulnerability was reported by Tom Ferris.

    This document was written by Chad Dougherty and Will Dormann.

    Other Information

    CVE IDs: CVE-2005-2871
    Severity Metric: 19.13
    Date Public: 2005-09-09
    Date First Published: 2005-09-09
    Date Last Updated: 2005-09-23 18:29 UTC
    Document Revision: 24

    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.