HighProventia Network IPS, Proventia Desktop, RealSecure Network, RealSecure Server Sensor, BlackICE PC Protection, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Server Protection for Windows, BlackICE Server Protection, Proventia Server IPS for Linux technology, Virtual Server Protection for Vmware:
This event triggers when an HTTP Directory Index response contains a '200' type that is in length, greater than 72 bytes.
See also http://blogs.iss.net/archive/cve-2008-0017.html
This signature detects a specially crafted HTTP data that can be used to overflow certain clients and execute code.
High
Proventia Network IPS: XPU 28.060, Proventia Desktop: 2200, RealSecure Network: XPU 28.060, RealSecure Server Sensor: XPU 28.060, BlackICE PC Protection: 3.6cqz, Proventia Network MFS: XPU 28.060, Proventia-G 1.1 and earlier: XPU 28.060, Proventia Network IDS: XPU 28.060, IBM Security Server Protection for Windows: 1.0.914.2200, BlackICE Server Protection: 3.6.cqz, IBM Security Server Protection for Windows: 2.1.14.2400, Proventia Server IPS for Linux technology: 28.060, Virtual Server Protection for Vmware: 1.0
RedHat Enterprise Linux: 2.1 AS, RedHat Enterprise Linux: 2.1 ES, RedHat Enterprise Linux: 2.1 WS, SUSE SuSE Linux: 9.0, RedHat Enterprise Linux: 3 WS, RedHat Enterprise Linux: 3 ES, RedHat Enterprise Linux: 3 AS, RedHat Enterprise Linux: 3 Desktop, SuSE SuSE SLES: 9, MandrakeSoft Mandrake Linux Corporate Server: 3.0, RedHat Enterprise Linux: 4 AS, RedHat Enterprise Linux: 4 Desktop, Novell Linux Desktop: 9, RedHat Enterprise Linux: 4 ES, RedHat Enterprise Linux: 4 WS, Mozilla Firefox: 2.0, RedHat Linux Advanced Workstation: 2.1 Itanium, MandrakeSoft Mandrake Linux Corporate Server: 4.0, MandrakeSoft Mandrake Linux Corporate Server: 4.0 X86_64, MandrakeSoft Mandrake Linux Corporate Server: 3.0 X86_64, Novell Linux POS: 9, Mozilla Firefox: 2.0.0.1, RedHat Enterprise Linux: 5, RedHat Enterprise Linux: 5 Client Workstation, Mozilla Firefox: 2.0.0.2, Mozilla Firefox: 2.0.0.3, MandrakeSoft Mandrake Linux: 2008.0 X86_64, Debian Debian Linux: 4.0, Mozilla Firefox: 2.0.0.4, Mozilla Firefox: 2.0.0.5, Mozilla SeaMonkey: 1.1.3, Mozilla Firefox: 2.0.0.6, Novell SUSE Linux Enterprise Server: 10 SP1, Novell SUSE Linux Enterprise Desktop: 10 SP1, Novell SLE SDK: 10 SP1, RedHat Enterprise Linux: 5 Client, MandrakeSoft Mandrake Linux: 2008.0, MandrakeSoft Mandrake Linux: 2008.1 X86_64, Mozilla Firefox: 2.0.0.9, Mozilla SeaMonkey: 1.1.2, Mozilla SeaMonkey: 1.1.1, Mozilla SeaMonkey: 1.1.0, Mozilla Firefox: 2.0.0.7, Mozilla SeaMonkey: 1.1.4, Mozilla Firefox: 2.0.0.8, Mozilla SeaMonkey: 1.1.5, Mozilla SeaMonkey: 1.1.6, Mozilla Firefox: 2.0.0.11, Mozilla Firefox: 2.0.0.12, Mozilla Firefox: 2.0.0.10, Mozilla Firefox: 2.0.0.13, Mozilla SeaMonkey: 1.1.7, Mozilla SeaMonkey: 1.1.8, Mozilla SeaMonkey: 1.1.9, Novell Open Enterprise Server, Novell OpenSUSE: 10.2, Novell OpenSUSE: 10.3, MandrakeSoft Mandrake Linux: 2008.1, Mozilla Firefox: 2.0.0.14, Mozilla Firefox: 3.0, Novell OpenSUSE: 11.0, Novell SUSE Linux Enterprise Desktop: 10 SP2, Novell SUSE Linux Enterprise: 10 SP2 DEBUGINFO, Novell SLE SDK: 10 SP2, Novell SUSE Linux Enterprise Server: 10 SP2, Mozilla Firefox: 2.0.0.15, Mozilla Firefox: 3.0.1, Mozilla SeaMonkey: 1.1.10, Mozilla SeaMonkey: 1.1.11, Mozilla Firefox: 2.0.0.16, Mozilla Firefox: 3.0.3, Mozilla Firefox: 3.0.2, Mandriva Linux: 2009.0, Mandriva Linux: 2009.0 X86_64, Mozilla Firefox: 2.0.0.17, Mozilla SeaMonkey: 1.1.12
Unauthorized Access Attempt
Mozilla Firefox and SeaMonkey are vulnerable to a buffer overflow, caused by a NULL pointer dereference in the http-index-format MIME type parser (nsDirIndexParser). By persuading a victim to visit a malicious Web page, a remote attacker could overflow a buffer and execute arbitrary code on the system with the privileges of the victim or cause the browser to crash.
Refer to MFSA 2008-54 for patch, upgrade or suggested workaround information. See References.
For other distributions:
Apply the appropriate update for your system. See References.
MFSA 2008-54
Buffer overflow in http-index-format parser
http://www.mozilla.org/security/announce/2008/mfsa2008-54.html
Bugzilla@Mozilla - Bug 443299
(CVE-2008-0017) Investigate possible buffer overflow in nsDirIndexParser
https://bugzilla.mozilla.org/show_bug.cgi?id=443299
IBM Internet Security Systems Protection Advisory November 13, 2008
Mozilla Unchecked Allocation Remote Code Execution
http://www.iss.net/threats/311.html
Sun Alert ID: 256408
Multiple Security Vulnerabilities in Firefox Versions Before 2.0.0.19 May Allow Execution of Arbitrary Code or Access to Unauthorized Data
http://sunsolve.sun.com/search/document.do?assetkey=1-66-256408-1
NORTEL BULLETIN ID: 2009009505, Rev 1
Nortel Response to Sun Alert 256408 - Solaris 10 - Vulnerabilities in Firefox May Allow Execution of Arbitrary Code
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&DocumentOID=909495&poid=
ISS X-Force
Mozilla Firefox and SeaMonkey http-index-format parser buffer overflow
http://www.iss.net/security_center/static/42089.php
CVE
CVE-2008-0017
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0017