xpgeek Posted September 23, 2005 Share Posted September 23, 2005 washingtonpost.com weblog Security Fix is reporting that an exploit for a Mozilla security bug has been released. The PwnZilla 5 code takes advantage of the international domain name (IDN) link buffer overflow flaw, details of which were published earlier this month. The weblog post says that the exploit code "could let attackers take complete control over computers cruising the Web with unpatched versions of the Firefox Internet browser". Previous public exploits for the vulnerability have been basic proof-of-concepts that simply crash the browser.The exploit, created by Berend-Jan "SkyLined" Wever, can be used against vulnerable versions of Mozilla Firefox, the Mozilla Application Suite and Netscape Browser 8. The latest Firefox 1.0.7 and Mozilla 1.7.12 releases, which have been made available over the past few days, are not affected as they both include a fix for the flaw. However, there is no fix available for Netscape Browser 8 (currently on version 8.0.3.3), though the exploit apparently works less reliably with this browser. Security Fix author Brian Krebs says that "the code is designed to be embedded in a Web site so that anyone computer (sic) visiting the evil site with Firefox or Netscape would open up a line of communication with another Internet address of the attacker's choice, effectively letting the bad guys control the victim computer from afar." He cites the French Security Incident Response Team (FrSIRT) as the source for this analysis but FrSIRT's copy of the PwnZilla 5 code does not appear to include this information. Exploit author SkyLined credits several people with assisting him in the creation of PwnZilla 5. In his description of the code, he says, "Since Netscape has not replied to reports about this vulnerability I've chosen to release it." However, he goes on to qualify this by stating that the exploit is optimised for Firefox (which has a fixed version available) and rarely works with Netscape (which does not). Any Firefox 1.0.x and Mozilla 1.x users who have not upgraded to versions 1.0.7 and 1.7.12 respectively are advised to do so immediately (see our article on the release of Firefox 1.0.7 and our article on the release of Mozilla 1.7.12 for more details). It should be noted that Firefox 1.5 Beta 1 is vulnerable to the flaw, so users should either revert to an end-user release of Firefox (that is, 1.0.7) or update to a more recent Firefox nightly build from the 1.8 branch. SeaMonkey 1.0 Alpha is not affected by the vulnerability (but the Linux version is at risk from the Linux command line URL parsing security bug). Last week, CNET News.com warned that hackers were probably working on exploits for the IDN flaw. The vulnerability was originally reported to the Mozilla Foundation by Tom Ferris, who elected to make it public before fixed versions of Firefox and the Mozilla Application Suite were released. SecurityProNews reporter John Stith interviewed Tom Ferris about the IDN vulnerability last week, providing more insight into why Ferris chose to publish details of the flaw. Stith's article states: "He [Ferris] also commented that when he initially submitted all his information to Mozilla, they seemed at odds and he felt put out by them... Microsoft has always 'treated him more like a professional.' He said he felt the folks over at Mozilla treated him more like a kid." http://www.mozillazine.org/ Question, paging supernova_00, I remember reading of a second discovered flaw too affecting 1.5 B1 and not 1.0.6 that was exploitable even with IDN disabled, is 1.5 B1 still safe to use with IDN disabled or do you reccomend an update to a newer nightly branch ? Link to comment Share on other sites More sharing options...
IceDogg Posted September 23, 2005 Share Posted September 23, 2005 I haven't heard of one that works even if IDN is disabled. Not for an IDN link buffer overflow. BTW, this isn't the first for IDN, so I have it disabled and will not enable it again unless I have to. Link to comment Share on other sites More sharing options...
xpgeek Posted September 23, 2005 Author Share Posted September 23, 2005 Had to search for a bit but I knew I saw it somewhere. Second vulnerability discovered affecting only 1.5 Beta 1 and not 1.0.6, even with IDN disabled. Another Firefox flaw?Even with the fix that disables IDN installed, a buffer overflow vulnerability exists in Firefox 1.5 beta 1, Ferris wrote on his Security Protocols Web site. The problem is a variant of the original IDN bug, he wrote. http://news.com.com/New+Firefox%2C+Mozilla..._3-5865882.html Versions Affected:Firefox 1.5 Beta 1 (Deer Park Alpha 2) build 1.8b4 with IDN disabled. Overview: A buffer overflow vulnerability exists within Firefox 1.5 Beta 1 with IDN disabled allows for an attacker to remotely execute arbitrary code on a affected host. Firefox 1.0.6 and all prior versions are not affected by this particular variant of the 'Host:' issue. http://www.security-protocols.com/modules....rticle&sid=2920 Link to comment Share on other sites More sharing options...
IceDogg Posted September 23, 2005 Share Posted September 23, 2005 Thanks. I have the latest branch build (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b5) Gecko/20050923 Firefox/1.4 ID:2005092307) and it still crashes it. So updating to a branch (nightly of 1.5) wouldn't help any, so far. I would stick to trusted sites till they get this fixed or maybe use the public version 1.0.7. This one doesn't affect the 1.0.7 version ,which is what most should use. Link to comment Share on other sites More sharing options...
Obi-Wan Kenobi Posted September 23, 2005 Share Posted September 23, 2005 ^that's what I use, and it don't do anything to my browser, AFAIK. Link to comment Share on other sites More sharing options...
Recommended Posts