SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |    Help    |   

SecurityTracker
Archives


Welcome to SecurityTracker!
 
Click to Sign Up
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com
Sign Up!





Category:  Application (Instant Messaging/IRC/Chat)  >  ChatZilla Vendors:  Mozilla.org
ChatZilla 'irc://' Server Name Buffer Overflow Let Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1008301
CVE Reference:  GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Nov 26 2003
Impact:  Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via network
Fix Available:  Yes   Exploit Included:  Yes  
Version(s): 0.9.35
Description:  A buffer overflow vulnerability was reported in ChatZilla. A remote user can execute arbitrary code on the target user's system.

dr_insane reported that ChatZilla does not validate the length of a server name. A remote user can generate an 'irc://' URL containg a specially crafted server name of greater than 40 kB in length that, when loaded by the target user, will trigger the buffer overflow. An exploit URL can be of the following form:

irc://[40kb long string]

It is also reported that there is a buffer overflow in the processing of the /Nick command. A local user can type a specially crafted /Nick command to cause the system to crash.
Impact:  A remote user can create a URL that, when loaded by the target user, will cause arbitrary code to be executed on the target user's system.
Solution:  The author reports that version 0.9.45 is not vulnerable.

[Editor's note: The Revision History at http://www.hacksrus.com/~ginda/chatzilla/revs.html makes no mention of these flaws.]
Vendor URL:  www.mozilla.org/projects/rt-messaging/chatzilla/ (Links to External Site)
Cause:  Boundary error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  Tested on Windows and Mac OS
Reported By:  dr_insane@pathfinder.gr
Message History:   None.

 Source Message Contents
Date:  Tue, 25 Nov 2003 14:09:22 +0200
From:  "=?windows-1253?B?w+nc7e3n8iDQ7+z+7efy?=" <dr_insane@pathfinder.gr>
Subject:  [0day] dr_insane||Chatzilla 0.9.35 Multiple Bugs

 

 
Security  :: Advisory  - Chatzilla 0.9.35 Multpiple buffer overflows


Vulnerable
----------
Chatzilla 0.9.35 and all tested prior versions. Last version doesn't seem vulnerable.

Affected systems:
-----------------
Windows(all versions)
Mac OS

Impact
------
High. These buffer overflows allow arbitary code to be executed on the victim's machine.


Details
--------
Chatzilla is an Irc client that comes by default with every version of Mozilla browser for Windows an
d
Mac OS. The problem is tha chatzilla doesn't not check the length of characters for a server to conne
ct.Sending a
server name fot chatzilla to connect over 40kb long allows overwriting of a key variable.
There is also another buffer overflow in the /Nick command. Sending again about 40kb will crash the s
ystem.

Demonstration(1):
--------------
Type in mozilla browser:

irc://[40kb long string]. (hmm! this looks like the bug in Mirc.)

//[crash]//


info(1):
-----
(0x00000EE4)
(0xC00000FD)
3140 (0x00000C44)
3092 (0x00000C14)
328 (0x00000148)
924 (0x0000039C)
3084 (0x00000C0C)
576 (0x00000240)
3284 (0x00000CD4)
2792 (0x00000AE8)
452 (0x000001C4)
3312 (0x00000CF0)
3160 (0x00000C58)
3384 (0x00000D38)
600 (0x00000258)
[   0] 54 49 07 61 14 30 03 00 DE 49 07 61 34 30 03 00 [TI.a.0...I.a40..]
[  10] DE 49 07 61 54 30 03 00 DE 49 07 61 74 30 03 00 [.I.aT0...I.at0..]
[  20] DE 49 07 61 94 30 03 00 DE 49 07 61 B4 30 03 00 [.I.a.0...I.a.0..]
[  30] DE 49 07 61 D4 30 03 00 DE 49 07 61 F4 30 03 00 [.I.a.0...I.a.0..]
[  40] DE 49 07 61 14 31 03 00 DE 49 07 61 34 31 03 00 [.I.a.1...I.a41..]
[  50] DE 49 07 61 54 31 03 00 DE 49 07 61 74 31 03 00 [.I.aT1...I.at1..]
[  60] DE 49 07 61 94 31 03 00 DE 49 07 61 B4 31 03 00 [.I.a.1...I.a.1..]
[  70] DE 49 07 61 D4 31 03 00 DE 49 07 61 F4 31 03 00 [.I.a.1...I.a.1..]


Demostration(2):
----------------
Open chatzilla and type:
/nick [40kb long nick]

//[crash]//


pr00f of concept exploit:
-------------------------
Get it on: http://members.lycos.co.uk/r34ct/

Solution:
---------
Upgrade to chatzilla 0.9.45

credit:
------
dr_insane@pathfinder.gr
http://members.lycos.co.uk/r34ct/



______________________________________________________________________________________
http://mobile.pathfinder.gr - Pathfinder Mobile logos & Ringtones! 
http://www.pathfinder.gr - Δωρεάν mail από τον Pathfinder!

_______________________________________________
0day mailing list
0day@nothackers.org
http://nothackers.org/mailman/listinfo/0day


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us   |    Help

Copyright 2003, SecurityGlobal.net LLC