32105 : Mozilla Multiple Products NSS SSLv2 Client Overflow
Printer | http://osvdb.org/32105 | Email This | Edit Vulnerability

Views This Week
4

Views All Time
259

Info

Last Modified
7 months ago

Percent Complete
100%

Disclosure
Feb 23, 2007

Discovery
Unknown

Dates

Exploit
Unknown

Solution
Unknown

Description

 A remote overflow exists in multiple versions of Mozilla Firefox, Mozilla Network Security Services (NSS), Mozilla SeaMonkey, and Mozilla Thunderbird. The vulnerability is due to an error in the Network Security Services (NSS) code that can occur when processing certain SSLv2 server messages. The products fail to properly process SSL server certificates which possess an RSA public key that is too small to encrypt the entire SSLv2 "Master Secret". This may result in a heap-based overflow and may allow an attacker execution of arbitrary code, resulting in a loss of integrity and/or availability.

Classification

 Location: Remote/Network Access Required
Attack Type: Input Manipulation
Impact: Loss of Integrity, Loss of Availability
Exploit: Exploit Available
Disclosure: OSVDB Verified

Technical

 Support for SSLv2 is disabled in Firefox 2 due to other known weaknesses in the protocol; Firefox 2 is not vulnerable unless the user has modified hidden internal NSS settings to re-enable SSLv2 support.

Below is the NSS CVS change that fixes the vulnerability:
===================================================================
Index: sslcon.c
===================================================================
RCS file: /cvsroot/mozilla/security/nss/lib/ssl/sslcon.c,v
retrieving revision 1.34
diff -p -u -9 -r1.34 sslcon.c
--- sslcon.c 14 Nov 2006 01:09:54 -0000 1.34
+++ sslcon.c 19 Dec 2006 08:08:39 -0000
@@ -1975,19 +1975,22 @@ ssl2_ClientHandleServerCert(sslSocket *s
unsigned char *
ssl_FormatSSL2Block(unsigned modulusLen, SECItem *data)
{
unsigned char *block;
unsigned char *bp;
int padLen;
SECStatus rv;
int i;
- PORT_Assert (data->len <= (modulusLen - (3 + RSA_BLOCK_MIN_PAD_LEN)));
+ if (modulusLen < data->len + (3 + RSA_BLOCK_MIN_PAD_LEN)) {
+ PORT_SetError(SEC_ERROR_BAD_KEY);
+ return NULL;
+ }
block = (unsigned char *) PORT_Alloc(modulusLen);
if (block == NULL)
return NULL;
bp = block;

Solution

 Upgrade to the following versions of the affected products as these versions have been reported to fix this vulnerability:
Mozilla Network Security Services (NSS): version 3.11.5 or higher
Mozilla Firefox: version 2.0.2 or higher
Mozilla Thunderbird: version 1.5.0.10 or higher
Mozilla SeaMonkey: version 1.0.8 or higher

It is also possible to correct the flaw by implementing the following workaround(s): Disable the SSLv2 protocol in any product that has not already done so.
In Mozilla Firefox 1.5:
1) Click on the Advanced icon in the Options/Preferences dialog.
2) On the Security tab uncheck the box next to "Use SSL 2.0"
3) Click the "OK" button.

In Mozilla Thunderbird 1.5:
1) Click on the Advanced icon in the Options/Preferences dialog.
2) Click the "Config Editor..." button.
3) Type ssl2 in the Filter field
4) Double-click security.enable_ssl2 to change the value to false and close the window.

Mozilla Network Security Services (NSS):
Disable the SSLv2 protocol.

Products
Mozilla Organization
Watch-list
Firefox
Watch-list
 2.0.0.2
1.5.0.10
1.0
1.5
1.5 beta 1
1.5 beta 2
1.5.0.1
1.5.0.2
1.5.0.3
1.5.0.4
1.5.0.5
1.5.0.6
1.5.0.7
1.5.0.9
2.0
2.0 Beta 1
2.0 RC2
2.0 RC3
2.0.1
0.x
1.0.x
Thunderbird
Watch-list
 1.5.0.10
1.0.x
0.x
1.5 beta 2
1.5.9
1.5
1.5.0.7
1.5.0.5
1.5.0.4
1.5.0.2
1.5.0.1
SeaMonkey
Watch-list
 1.0.8
1.1.1
1.1 Alpha
1.1 Beta
1.0.x
Network Security Services (NSS)
Watch-list
 3.11.5
3.11.3
3.10
3.11.4
3.9.x
3.8.x
3.7.x
3.6.x
3.5.x
3.4.x
3.3.x
3.2.x

References

Tools & Filters

Nessus

 24701 24707 24708 24735 24748 24753 24774 24778 24867 24888 25000 25318 25779 27118 27119 27129 27439 27440 28021 28022 28025 29359

Credit
  • Micha&#322; Luczaj - regenrechtBrand New Doo Dooo2.pl -

Blogs

Provided by Technorati

 None found at this time

Comments

Add Comment

No Comments.

DONATE NOW!

User Status

Quick Searches

Advertisements

The database information may change without any notice. Use of the information constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the copyright holder or distributor (OSVDB or OSF) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

© Copyright 2008 Open Source Vulnerability Database (OSVDB), All Rights Reserved.
Privacy Statement - Terms of Use