Netscape/Mozilla SOAPParameter Constructor Integer Overflow Vulnerability www.idefense.com/application/poi/display?id=117&type=vulnerabilities August 2, 2004
iDEFENSE Security Advisory 08.02.04: I. BACKGROUND SOAP is an XML-based messaging protocol which defines a set of rules for structuring messages, and can be used for web based applications. II. DESCRIPTION Improper input validation to the SOAPParameter object constructor in Netscape and Mozilla allows execution of arbitrary code. The SOAPParameter object's constructor contains an integer overflow which allows controllable heap corruption. A web page can be constructed to leverage this into remote execution of arbitrary code. III. ANALYSIS Successful exploitation allows the remote attacker to execute arbitrary code in the context of the user running the browser. IV. DETECTION Netscape version 7.0 and 7.1 have been confirmed to be vulnerable. Mozilla 1.6 is also vulnerable to this issue. It is suspected that earlier versions of both browsers may also be vulnerable. Netscape 7.1 is the latest version of Netscape available. Netscape have not released any information indicating they are intending to release future versions of the Netscape browser, and no longer have any developers working on this project. The latest release of the Mozilla browser, 1.7.1, is not affected by this vulnerability. The Mozilla browser may be considered as an alternative to Netscape. V. WORKAROUNDS Disable Javascript in the browser. Consider upgrading to the latest version of Mozilla. VI. VENDOR RESPONSE Mozilla 1.7.1 is available for download at: http://www.mozilla.org/products/mozilla1.x/ VII. CVE INFORMATION The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0722 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. VIII. DISCLOSURE TIMELINE 01/17/2004 Exploit acquired by iDEFENSE. 03/05/2004 Bug sent to Netscape Security Bug form at http://cgi.netscape.com/cgi-bin/bug-security.cgi 03/05/2004 Bug entered into bugzilla.mozilla.org http://bugzilla.mozilla.org/show_bug.cgi?id=236618 03/05/2004 iDEFENSE clients notified 07/09/2004 Patch submitted into Mozilla source tree. http://bugzilla.mozilla.org/show_bug.cgi?id=236618#c22 08/02/2004 Public disclosure IX. CREDIT zen-parse (zen-parse at gmx.net) is credited with this discovery. X. LEGAL NOTICES Copyright (c) 2004 iDEFENSE, Inc. Permission is granted for the redistribution of this alert electronically. It may not be edited in any way without the express written consent of iDEFENSE. If you wish to reprint the whole or any part of this alert in any other medium other than electronically, please email [EMAIL PROTECTED] for permission. Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html