Document Title: =============== Mozilla Prism v1.0b4 - Stack Overflow Vulnerability Date: ===== 2011-08-29 References: =========== Video: http://www.vulnerability-lab.com/get_content.php?id=217 VL-ID: ===== 80 Common Vulnerability Scoring System: ==================================== 7.3 Introduction: ============= Prism is designed to create a better environment for running your favorite web-based applications. Much of what we used to accomplish using an application running locally on our computers is moving into the web browser. Thanks to advances in web technology, these apps are increasingly powerful and usable. As a result, applications like Gmail, Facebook and Google Docs are soaring in popularity. (Copy of Vendor Homepage: http://labs.mozilla.com/prism/) Abstract: ========= The Vulnerability Laboratory Research Team discovered a Buffer-Overflow vulnerability on Mozilla Prism Secure Browser Engine. Report-Timeline: ================ 2011-09-01: Public or Non-Public Disclosure Status: ======== Published Affected Products: ================== Exploitation-Technique: ======================= Remote Severity: ========= High Details: ======== A Buffer Overflow vulnerability is detected on Mozilla Prism The prism software & addon has no URL input size restriction as exception-handling. Local attackers can generate special crafted containers to compromise the local/remote system on execution. Remote execution of code via network container files are possible but requires user inter action. Vulnerable Module(s): [+] URL [+] Name --- Exception Logs --- Problemereignisname: BEX Anwendungsname: prism.exe Anwendungsversion: 1.9.0.3405 Anwendungszeitstempel: 49f89f9d Fehlermodulname: StackHash_1477 Fehlermodulversion: 0.0.0.0 Fehlermodulzeitstempel: 00000000 Ausnahmeoffset: 00390039 Ausnahmecode: c0000005 Ausnahmedaten: 00000008 Betriebsystemversion: 6.0.6002.2.2.0.768.3 Gebietsschema-ID: 1031 Zusatzinformation 1: 1477 Zusatzinformation 2: 528bb57b980c1da9bf8c456a3876b4b2 Zusatzinformation 3: 22f3 Zusatzinformation 4: 05475e8449807bb817c3945e60bda828 After the crash the MSVCR80 crashs too because of a bound process ... Problemsignatur: Problemereignisname: APPCRASH Anwendungsname: prism.exe Anwendungsversion: 1.9.0.3405 Anwendungszeitstempel: 49f89f9d Fehlermodulname: MSVCR80.dll Fehlermodulversion: 8.0.50727.4016 Fehlermodulzeitstempel: 49cc5361 Ausnahmecode: c0000005 Ausnahmeoffset: 0001500a Betriebsystemversion: 6.0.6002.2.2.0.768.3 Gebietsschema-ID: 1031 Zusatzinformation 1: b909 Zusatzinformation 2: f50f35bb1bdeb3eed6178072ceb2495a Zusatzinformation 3: 0dbf Zusatzinformation 4: 513496628e20510b683769cabf59ab66 The vulnerability is also existing on the browser addon for remote exploitation ... Problemsignatur: Problemereignisname: BEX Anwendungsname: firefox.exe Anwendungsversion: 1.9.0.3399 Anwendungszeitstempel: 49f1091d Fehlermodulname: StackHash_9a32 Fehlermodulversion: 0.0.0.0 Fehlermodulzeitstempel: 00000000 Ausnahmeoffset: 00410041 Ausnahmecode: c0000005 Ausnahmedaten: 00000008 Betriebsystemversion: 6.0.6002.2.2.0.768.3 Gebietsschema-ID: 1031 Zusatzinformation 1: 9a32 Zusatzinformation 2: 5c619ea68c3b46f708861a8835d2b5e5 Zusatzinformation 3: f208 Zusatzinformation 4: e71079d1087215128ac25af60fabae36 Problemsignatur: Problemereignisname: APPCRASH Anwendungsname: firefox.exe Anwendungsversion: 1.9.0.3399 Anwendungszeitstempel: 49f1091d Fehlermodulname: MOZCRT19.dll Fehlermodulversion: 8.0.0.0 Fehlermodulzeitstempel: 49f10980 Ausnahmecode: c0000005 Ausnahmeoffset: 000128da Betriebsystemversion: 6.0.6002.2.2.0.768.3 Gebietsschema-ID: 1031 Zusatzinformation 1: 5c96 Zusatzinformation 2: 4f590d68f590cfa1f545b49c8a8defc2 Zusatzinformation 3: 79ca Zusatzinformation 4: 57c55b385489b6eb2c074786b4e64832 Pictures: ../debugger-analyse.png ../prism_buffer-overflow.png ../prism_buffer-overflow2.png ../ff-plugin_bof.png ../ff-plugin_bof2.png Proof of Concept: ================= The vulnerability can be exploited by local or remote attackers. For demonstration or reproduce ... Manually reproduce ... 1. Open the software 2. Include as local user ... example URL or Name (http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA+') 3. Click on ok and generate the file on desktop 4. The service crashs directly with a nice BEX exception(Overflow) 5. Now the attacker can overwrite the registers PoC: ../0pam0 Same method can be used to verify the bug on the browser-plugin. The result is a stable browser crash as buffer overflow. Solution: ========= Restrict the input field of URL & Name to a maximum size & filter the input with a own exception-handling. Risk: ===== The security risk of the buffer overflow vulnerability is estimated as high. Credits: ======== Vulnerability Research Laboratory Disclaimer: =========== The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material. Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.vulnerability-lab.com/register Contact: admin@vulnerability-lab.com - support@vulnerability-lab.com - research@vulnerability-lab.com Section: video.vulnerability-lab.com - forum.vulnerability-lab.com - news.vulnerability-lab.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, sourcecode, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (admin@vulnerability-lab.com or support@vulnerability-lab.com) to get a permission. Copyright © 2012 | Vulnerability Laboratory