Mozilla Firefox and SeaMonkey UTF-8 encoded URL buffer overflow (HTML_URL_Unicode_Stack_Overflow)

About this signature or vulnerability

This signature detects an attempt to exploit a stack overflow within a URL found in an HTML document.

False positives

False negatives

IBM Security Server Protection for Windows, BlackICE Server Protection, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia Desktop, Proventia Network IPS, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology: Specially crafted exploits that create URL's using a scriptable language such as JavaScript, will not be detected by this signature. It is possible that other signatures, such as JavaScript_NOOP_Sled or JavaScript_Large_Unescape, may trigger instead. However, that is not guaranteed.

Default risk level

High risk vulnerability High

Sensors that have this signature

IBM Security Server Protection for Windows: 2.1.14.2400, BlackICE Server Protection: 3.6.cqz, IBM Security Server Protection for Windows: 1.0.914.2200, Proventia Network IDS: XPU 28.060, Proventia-G 1.1 and earlier: XPU 28.060, Proventia Network MFS: XPU 28.060, BlackICE PC Protection: 3.6cqz, RealSecure Server Sensor: XPU 28.060, RealSecure Network: XPU 28.060, Proventia Desktop: 2200, Proventia Network IPS: XPU 28.060, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 28.060

Systems affected

RedHat Enterprise Linux: 2.1 AS, RedHat Enterprise Linux: 2.1 ES, RedHat Enterprise Linux: 2.1 WS, SUSE SuSE Linux: 9.0, RedHat Enterprise Linux: 3 WS, RedHat Enterprise Linux: 3 ES, RedHat Enterprise Linux: 3 AS, RedHat Enterprise Linux: 3 Desktop, SuSE SuSE SLES: 9, MandrakeSoft Mandrake Linux Corporate Server: 3.0, RedHat Enterprise Linux: 4 AS, RedHat Enterprise Linux: 4 Desktop, Novell Linux Desktop: 9, RedHat Enterprise Linux: 4 ES, RedHat Enterprise Linux: 4 WS, Mozilla Firefox: 2.0, RedHat Linux Advanced Workstation: 2.1 Itanium, Canonical Ubuntu: 6.06 LTS, MandrakeSoft Mandrake Linux Corporate Server: 4.0, MandrakeSoft Mandrake Linux Corporate Server: 4.0 X86_64, MandrakeSoft Mandrake Linux Corporate Server: 3.0 X86_64, Novell Linux POS: 9, Mozilla Firefox: 2.0.0.1, RedHat Enterprise Linux Optional Productivity Applications: 5 Server, Mozilla Firefox: 2.0.0.2, Mozilla Firefox: 2.0.0.3, MandrakeSoft Mandrake Linux: 2008.0 X86_64, Debian Debian Linux: 4.0, Canonical Ubuntu: 7.04, Mozilla Firefox: 2.0.0.4, Mozilla Firefox: 2.0.0.5, Mozilla SeaMonkey: 1.1.3, Mozilla Firefox: 2.0.0.6, Novell SUSE Linux Enterprise Server: 10 SP1, Novell SUSE Linux Enterprise Desktop: 10 SP1, Novell SLE SDK: 10 SP1, RedHat Enterprise Linux: 5 Client, Canonical Ubuntu: 7.10, MandrakeSoft Mandrake Linux: 2008.0, MandrakeSoft Mandrake Linux: 2008.1 X86_64, Mozilla Firefox: 2.0.0.9, Mozilla SeaMonkey: 1.1.2, Mozilla SeaMonkey: 1.1.1, Mozilla SeaMonkey: 1.1.0, Mozilla Firefox: 2.0.0.7, Mozilla SeaMonkey: 1.1.4, Mozilla Firefox: 2.0.0.8, Mozilla SeaMonkey: 1.1.5, Mozilla SeaMonkey: 1.1.6, Mozilla Firefox: 2.0.0.11, Mozilla Firefox: 2.0.0.12, Mozilla Firefox: 2.0 Beta1, Mozilla Firefox: 2.0 rc2, Mozilla Firefox: 2.0 rc3, Mozilla Firefox: 2.0.0.10, Mozilla Firefox: 2.0.0.13, Mozilla SeaMonkey: 1.1.7, Mozilla SeaMonkey: 1.1.8, Mozilla SeaMonkey: 1.1.9, Novell Open Enterprise Server, Novell OpenSUSE: 10.2, Novell OpenSUSE: 10.3, MandrakeSoft Mandrake Linux: 2008.1, Canonical Ubuntu: 8.04 LTS, Mozilla Firefox: 2.0 Beta2, Mozilla Firefox: 2.0 rc1, Mozilla Firefox: 2.0.0.14, Novell OpenSUSE: 11.0, Novell SUSE Linux Enterprise Desktop: 10 SP2, Novell SUSE Linux Enterprise: 10 SP2 DEBUGINFO, Novell SLE SDK: 10 SP2, Novell SUSE Linux Enterprise Server: 10 SP2, Mozilla Firefox: 2.0.0.15, Mozilla SeaMonkey: 1.1.10, Mozilla SeaMonkey: 1.1.11, Mozilla Firefox: 2.0.0.16

Type

Unauthorized Access Attempt

Vulnerability description

Mozilla Firefox and SeaMonkey are vulnerable to a stack-based buffer overflow, caused by improper parsing of UTF-8 encoded URLs. By persuading a victim to visit a Web page containing a specially-crafted URL, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the victim or cause the browser to crash.

How to remove this vulnerability

Refer to MFSA 2008-37 for patch, upgrade or suggested workaround information. See References.

For other distributions:
Apply the appropriate update for your system. See References.

References

Bugzilla@Mozilla - Bug 451617
ConvertUTF8toUTF16 with incomplete multi-byte character sequence can cause overrun
https://bugzilla.mozilla.org/show_bug.cgi?id=451617

Bugzilla@Mozilla - Bug 443288
(CVE-2008-0016) Investigate CVE 2008-0016: crash [@ nsACString_internal::SetLength]
https://bugzilla.mozilla.org/show_bug.cgi?id=443288

MFSA 2008-37
UTF-8 URL stack buffer overflow
http://www.mozilla.org/security/announce/2008/mfsa2008-37.html

IBM Internet Security Systems Protection Advisory September 24, 2008
Mozilla Unicode URL Stack Overflow
http://www.iss.net/threats/303.html

Sun Alert ID: 256408
Multiple Security Vulnerabilities in Firefox Versions Before 2.0.0.19 May Allow Execution of Arbitrary Code or Access to Unauthorized Data
http://sunsolve.sun.com/search/document.do?assetkey=1-66-256408-1

NORTEL BULLETIN ID: 2009009505, Rev 1
Nortel Response to Sun Alert 256408 - Solaris 10 - Vulnerabilities in Firefox May Allow Execution of Arbitrary Code
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=909495&poid=

milw0rm.com [2009-09-14]
Mozilla Firefox 2.0.0.16 UTF-8 URL Remote Buffer Overflow Exploit
http://milw0rm.com/exploits/9663

ISS X-Force
Mozilla Firefox and SeaMonkey UTF-8 encoded URL buffer overflow
http://www.iss.net/security_center/static/42088.php

CVE
CVE-2008-0016
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0016