|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
iDefense Security Advisory 10.28.09
http://labs.idefense.com/intelligence/vulnerabilities/
Oct 28, 2009
I. BACKGROUND
Firefox is the Mozilla Foundation's open source internet web browser.
Among the browser's capabilities is the display of GIF images. GIF is a
widely used image format with features such as loss-less compression,
animation and color palettes. For more information, visit the URLs
shown below.
http://www.mozilla.com/firefox/
http://en.wikipedia.org/wiki/Graphics_Interchange_Format
II. DESCRIPTION
Remote exploitation of a buffer overflow in the Mozilla Foundation's
libpr0n image processing library allows attackers to execute arbitrary
code.
The libpr0n GIF parser was designed using a state machine which is
represented as a series of switch/case statements. One particularly
interesting state, 'gif_image_header', is responsible for interpreting
a single image/frame description record. A single GIF file may contain
many images, each with a different color map associated.
The problem lies in the handling of changes to the color map of
subsequent images in a multiple-image GIF file. Memory reallocation is
not managed correctly and can result in an exploitable heap overflow
condition.
III. ANALYSIS
Exploitation of this vulnerability results in the execution of arbitrary
code with the privileges of the user running the vulnerable application.
To exploit this vulnerability, a targeted user must load a malicious Web
page created by an attacker. An attacker typically accomplishes this via
social engineering or injecting content into compromised, trusted sites.
IV. DETECTION
iDefense confirmed the existence of this vulnerability using Mozilla
Firefox versions 3.0.13 and 3.5.2 on 32-bit Windows XP SP3. Other
versions, and potentially other applications using libpr0n, are
suspected to be vulnerable.
V. WORKAROUND
Although it is not widely viewed as a viable workaround, disabling
automatic image loading can prevent exploitation of this vulnerability.
The following steps explains how to disable this setting on Firefox
3.0.x.
1. From the "Tools" menu, select "Options"
2. Navigate to the "Content" settings.
3. Ensure that "Load images automatically" is not checked.
VI. VENDOR RESPONSE
Mozilla has released a patch which fixes this issue in Firefox 3.5.4,
Firefox 3.0.15, and SeaMonkey 2.0. Information about downloadable
vendor updates can be found by clicking on the URL shown.
http://www.mozilla.com/en-US/firefox/ie.html
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2009-3373 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.
VIII. DISCLOSURE TIMELINE
08/20/2009 - Initial Vendor Notification
10/27/2009 - Vendor Public Disclosure
10/28/2009 - iDefense Public Disclosure
IX. CREDIT
This vulnerability was reported to iDefense by regenrecht.
Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php
Free tools, research and upcoming events
http://labs.idefense.com/
X. LEGAL NOTICES
Copyright =A9 2009 iDefense, Inc.
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without the express
written consent of iDefense. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please e-mail customerservice@idefense.com for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect, or consequential loss or damage arising from use of, or
reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iD8DBQFK6J6Ybjs6HoxIfBkRAn01AKDDafS/+W3ifh/UXOfAMQgGpk/YGgCfc0Uo
4FncE3T7P7SeNFaDcuNg3G8=/3we
-----END PGP SIGNATURE-----