[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] iDefense Security Advisory 10.28.09: Mozilla Firefox GIF Color Map Parsing Buffer Overflow Vulnerability

To: iDefense Labs <labs-no-reply@xxxxxxxxxxxx>
Subject: Re: [Full-disclosure] iDefense Security Advisory 10.28.09: Mozilla Firefox GIF Color Map Parsing Buffer Overflow Vulnerability
From: Sébastien Hénarès <henares.sebastien@xxxxxxxxx>
Date: Thu, 29 Oct 2009 16:45:48 +0100

where is the test vuln code ?

2009/10/28 iDefense Labs <labs-no-reply@xxxxxxxxxxxx>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> iDefense Security Advisory 10.28.09
> http://labs.idefense.com/intelligence/vulnerabilities/
> Oct 28, 2009
>
> I. BACKGROUND
>
> Firefox is the Mozilla Foundation's open source internet web browser.
> Among the browser's capabilities is the display of GIF images. GIF is a
> widely used image format with features such as loss-less compression,
> animation and color palettes. For more information, visit the URLs
> shown below.
>
> http://www.mozilla.com/firefox/
>
> http://en.wikipedia.org/wiki/Graphics_Interchange_Format
>
> II. DESCRIPTION
>
> Remote exploitation of a buffer overflow in the Mozilla Foundation's
> libpr0n image processing library allows attackers to execute arbitrary
> code.
>
> The libpr0n GIF parser was designed using a state machine which is
> represented as a series of switch/case statements. One particularly
> interesting state, 'gif_image_header', is responsible for interpreting
> a single image/frame description record. A single GIF file may contain
> many images, each with a different color map associated.
>
> The problem lies in the handling of changes to the color map of
> subsequent images in a multiple-image GIF file. Memory reallocation is
> not managed correctly and can result in an exploitable heap overflow
> condition.
>
> III. ANALYSIS
>
> Exploitation of this vulnerability results in the execution of arbitrary
> code with the privileges of the user running the vulnerable application.
> To exploit this vulnerability, a targeted user must load a malicious Web
> page created by an attacker. An attacker typically accomplishes this via
> social engineering or injecting content into compromised, trusted sites.
>
> IV. DETECTION
>
> iDefense confirmed the existence of this vulnerability using Mozilla
> Firefox versions 3.0.13 and 3.5.2 on 32-bit Windows XP SP3. Other
> versions, and potentially other applications using libpr0n, are
> suspected to be vulnerable.
>
> V. WORKAROUND
>
> Although it is not widely viewed as a viable workaround, disabling
> automatic image loading can prevent exploitation of this vulnerability.
> The following steps explains how to disable this setting on Firefox
> 3.0.x.
>
>   1. From the "Tools" menu, select "Options"
>   2. Navigate to the "Content" settings.
>   3. Ensure that "Load images automatically" is not checked.
>
> VI. VENDOR RESPONSE
>
> Mozilla has released a patch which fixes this issue in Firefox 3.5.4,
> Firefox 3.0.15, and SeaMonkey 2.0. Information about downloadable
> vendor updates can be found by clicking on the URL shown.
>
> http://www.mozilla.com/en-US/firefox/ie.html
>
> VII. CVE INFORMATION
>
> The Common Vulnerabilities and Exposures (CVE) project has assigned the
> name CVE-2009-3373 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org/), which standardizes names for
> security problems.
>
> VIII. DISCLOSURE TIMELINE
>
> 08/20/2009  - Initial Vendor Notification
> 10/27/2009  - Vendor Public Disclosure
> 10/28/2009  - iDefense Public Disclosure
>
> IX. CREDIT
>
> This vulnerability was reported to iDefense by regenrecht.
>
> Get paid for vulnerability research
> http://labs.idefense.com/methodology/vulnerability/vcp.php
>
> Free tools, research and upcoming events
> http://labs.idefense.com/
>
> X. LEGAL NOTICES
>
> Copyright © 2009 iDefense, Inc.
>
> Permission is granted for the redistribution of this alert
> electronically. It may not be edited in any way without the express
> written consent of iDefense. If you wish to reprint the whole or any
> part of this alert in any other medium other than electronically,
> please e-mail customerservice@xxxxxxxxxxxx for permission.
>
> Disclaimer: The information in the advisory is believed to be accurate
> at the time of publishing based on currently available information. Use
> of the information constitutes acceptance for use in an AS IS condition.
>  There are no warranties with regard to this information. Neither the
> author nor the publisher accepts any liability for any direct,
> indirect, or consequential loss or damage arising from use of, or
> reliance on, this information.
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.7 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iD8DBQFK6J6Ybjs6HoxIfBkRAn01AKDDafS/+W3ifh/UXOfAMQgGpk/YGgCfc0Uo
> 4FncE3T7P7SeNFaDcuNg3G8=
> =/3we
> -----END PGP SIGNATURE-----
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

References:
- [Full-disclosure] iDefense Security Advisory 10.28.09: Mozilla Firefox GIF Color Map Parsing Buffer Overflow Vulnerability
  - From: iDefense Labs

Prev by Date: [Full-disclosure] 2wire Remote Denial of Service
Next by Date: [Full-disclosure] [ MDVSA-2009:291 ] jetty5
Previous by thread: [Full-disclosure] iDefense Security Advisory 10.28.09: Mozilla Firefox GIF Color Map Parsing Buffer Overflow Vulnerability
Next by thread: [Full-disclosure] [SECURITY] [DSA 1922-1] New xulrunner packages fix several vulnerabilities
Index(es):
- Date
- Thread