First Vulnerability for Firefox 1.5 (released version) Announced - PoC available
Update 2: The official response from the folks at mozilla.org can be found here. Their results match our testing, that we were able to make it take a long time for Firefox to start, but were not able to make it crash. Further, there doesn't seem to be any credible evidence at this time that this could be exploited to execute arbitrary code.
When Firefox 1.5 was officially released I wondered when the first security vulnerability would be announced. To be fair, it's taken longer than I thought it would. Packetstorm Security has released proof of concept code that causes a buffer overflow and denial of service on the Firefox browser. Long and short of it is, history.dat stores various pieces of information on websites you've visited. If the topic of a page is crafted to be long enough, it will crash the browser each time it is started after going to such a page. This vulnerability has been tested and does work, and no known patches are available at this time. Once this happens, firefox will be unable to be started until you erase the history.dat file manually. Presumably, if the topic was more tightly crafted than in the proof-of-concept code, a more malicious attack could be crafted that would install malware on the machine with the extra fun step of being reinstalled after each restart of firefox (unless you erase history.dat).
As we research this more, details will be added on to this post.
UPDATES:
The machine I was testing this on has McAfee Enterprise 8, and Firefox would not crash. Despite my valiant efforts in disabling the protection, I couldn't get it to crash. While annoyed that I couldn't (short of uninstalling) get the protection disabled, it probablly is a good thing. I'll test more when I get in the office tomorrow and have more machines to play with.
This seems to be more of a denial of service than a true buffer overflow. It looks like Firefox just chokes on page topics that are too long. Some people it hangs, other people it crashes.
WORKAROUNDS:
However, the following is a workaround that should work (if it doesn't let me know). Go to Tools -> Options.
Select the Privacy Icon, and then the History tab. Set the number of days to save pages at 0. This will disable writing anything to history.dat as far as I can tell, and should nullify the exploit. Readers have confirmed that this workaround does prevent the buffer overflow. You can also change your privacy settings to delete personal info when you close Firefox.
Another workaround is to modify prefs.js while Firefox has not been started and put in the line:
user_pref("capability.policy.default.HTMLDocument.title.set","noAccess");
Lastly, you can also run the NoScript extension, found here. (Which I have not looked at in depth.) However, there are other ways of exploiting this where NoScript might not work.
Some users have reported being unable to reproduce this error. I will test more to try to establish what makes this work and not. So far it appears Mac users are not affected by this.
HOW TO LOCATE THE PROFILE FOLDER:
If you need to delete your history.dat file (in case you tested this PoC code), it can be difficult to locate where exactly this file is.
You can find instructions for locating the profile folder at the following URL: http://www.mozilla.org/support/firefox/edit#profile.
--
John Bambenek, bambenek *at* gmail *dot* com
When Firefox 1.5 was officially released I wondered when the first security vulnerability would be announced. To be fair, it's taken longer than I thought it would. Packetstorm Security has released proof of concept code that causes a buffer overflow and denial of service on the Firefox browser. Long and short of it is, history.dat stores various pieces of information on websites you've visited. If the topic of a page is crafted to be long enough, it will crash the browser each time it is started after going to such a page. This vulnerability has been tested and does work, and no known patches are available at this time. Once this happens, firefox will be unable to be started until you erase the history.dat file manually. Presumably, if the topic was more tightly crafted than in the proof-of-concept code, a more malicious attack could be crafted that would install malware on the machine with the extra fun step of being reinstalled after each restart of firefox (unless you erase history.dat).
As we research this more, details will be added on to this post.
UPDATES:
The machine I was testing this on has McAfee Enterprise 8, and Firefox would not crash. Despite my valiant efforts in disabling the protection, I couldn't get it to crash. While annoyed that I couldn't (short of uninstalling) get the protection disabled, it probablly is a good thing. I'll test more when I get in the office tomorrow and have more machines to play with.
This seems to be more of a denial of service than a true buffer overflow. It looks like Firefox just chokes on page topics that are too long. Some people it hangs, other people it crashes.
WORKAROUNDS:
However, the following is a workaround that should work (if it doesn't let me know). Go to Tools -> Options.
Select the Privacy Icon, and then the History tab. Set the number of days to save pages at 0. This will disable writing anything to history.dat as far as I can tell, and should nullify the exploit. Readers have confirmed that this workaround does prevent the buffer overflow. You can also change your privacy settings to delete personal info when you close Firefox.
Another workaround is to modify prefs.js while Firefox has not been started and put in the line:
user_pref("capability.policy.default.HTMLDocument.title.set","noAccess");
Lastly, you can also run the NoScript extension, found here. (Which I have not looked at in depth.) However, there are other ways of exploiting this where NoScript might not work.
Some users have reported being unable to reproduce this error. I will test more to try to establish what makes this work and not. So far it appears Mac users are not affected by this.
HOW TO LOCATE THE PROFILE FOLDER:
If you need to delete your history.dat file (in case you tested this PoC code), it can be difficult to locate where exactly this file is.
You can find instructions for locating the profile folder at the following URL: http://www.mozilla.org/support/firefox/edit#profile.
--
John Bambenek, bambenek *at* gmail *dot* com
Keywords:
0 comment(s)
Vulnerabilities in phpMyAdmin, Dell's TrueMobile 2300 Wireless Router and couple of PoC exploits.
Otherwise slow day was interrupted by a small flood of vulnerability advisories and exploits. Be sure to patch your systems if you use any of the products mentioned below.
Stefan Esser published a critical vulnerability in phpMyAdmin, popular web based MySQL administration package. What's interesting about this vulnerability is that, in fact, it happens in the code which should protect the application.
The variable $import_blocklist is supposed to list variables that may not be overwritten. However, as this variable is not protected, an attacker can overwrite it and change the blocklist, after which this can be exploited to execute arbitrary script code in user's browser session, in the context of the site running a vulnerable installation of phpMyAdmin.
If you use this product, be sure to upgrade to phpMyAdmin 2.7.0-p1 from http://sourceforge.net/project/showfiles.php?group_id=23067. The original advisory is at http://www.hardened-php.net/advisory_252005.110.html.
Thanks to Richard for sending the note!
Besides this, iDefense published an advisory about a design error in Dell's TrueMobile 2300 Wireless Broadband Router. By accessing a certain page it is possible to obtain another page which will allow an attacker to reset authentication credentials.
It was reported that the following firmware versions are affected:
* 3.0.0.8, dated 07/24/2003
* 5.1.1.6, dated 1/31/2004
Dell stated that this product is no longer being sold and that it was replaced with newer models which are not affected by this vulnerability, so no patch will be released.
We wonder if you can go and return the device for a new one - let us know if you try to do this.
Finally, PoC exploits for some old vulnerabilities have been released.
First one is for a two-year old Oracle 9i vulnerability, XDB HTTP Authentication Remote Stack Overflow Exploit. You can find more information about the vulnerability at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0727.
The second exploit was for HP OpenView Network Node Manager Remote Command Execution vulnerability. connectedNodes.ovpl, a script that comes with HP OpenView, had inadequate input validation so an attacker was able to execute arbitrary system level commands. HP released the patch for this vulnerability on 5th of October; their original advisory is available at http://itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMA01224.
Stefan Esser published a critical vulnerability in phpMyAdmin, popular web based MySQL administration package. What's interesting about this vulnerability is that, in fact, it happens in the code which should protect the application.
The variable $import_blocklist is supposed to list variables that may not be overwritten. However, as this variable is not protected, an attacker can overwrite it and change the blocklist, after which this can be exploited to execute arbitrary script code in user's browser session, in the context of the site running a vulnerable installation of phpMyAdmin.
If you use this product, be sure to upgrade to phpMyAdmin 2.7.0-p1 from http://sourceforge.net/project/showfiles.php?group_id=23067. The original advisory is at http://www.hardened-php.net/advisory_252005.110.html.
Thanks to Richard for sending the note!
Besides this, iDefense published an advisory about a design error in Dell's TrueMobile 2300 Wireless Broadband Router. By accessing a certain page it is possible to obtain another page which will allow an attacker to reset authentication credentials.
It was reported that the following firmware versions are affected:
* 3.0.0.8, dated 07/24/2003
* 5.1.1.6, dated 1/31/2004
Dell stated that this product is no longer being sold and that it was replaced with newer models which are not affected by this vulnerability, so no patch will be released.
We wonder if you can go and return the device for a new one - let us know if you try to do this.
Finally, PoC exploits for some old vulnerabilities have been released.
First one is for a two-year old Oracle 9i vulnerability, XDB HTTP Authentication Remote Stack Overflow Exploit. You can find more information about the vulnerability at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-0727.
The second exploit was for HP OpenView Network Node Manager Remote Command Execution vulnerability. connectedNodes.ovpl, a script that comes with HP OpenView, had inadequate input validation so an attacker was able to execute arbitrary system level commands. HP released the patch for this vulnerability on 5th of October; their original advisory is available at http://itrc.hp.com/service/cki/docDisplay.do?docId=HPSBMA01224.
Keywords:
0 comment(s)
×
Diary Archives
Comments