Information Assurance

Milen Dinkov


front | classes | research | personal | contact

Information Assurance

Bugtraq Analysis

Mozilla Vulneravilities

CVE-2006-0748

back to bugtraq analyses page

Details:

A remote attacker could craft malicious web pages that would leverage these issues to inject and execute arbitrary script code with elevated privileges, steal local files, cookies or other information from web pages, and spoof content. Some of these vulnerabilities might even be exploited to execute arbitrary code with the rights of the browser user.

DoS:

The Mozilla Firefox Web browser is vulnerable to Denial of Service (DoS) attacks, which can occur because of malformed HTML tags or specific coding of IFRAME tags. The first DoS condition occurs when a "link" tag for a stylesheet contains an undefined path. The second DoS condition, which affects both Firefox and Thunderbird, occurs when "strong" tags and "sourcetext" tags are mismatched. The third DoS condition occurs when an IFRAME tag contains an excessively large width parameter.

Table Tags:

An anonymous researcher for TippingPoint and the Zero Day Initiative reports that an invalid and nonsensical ordering of table-related tags causes Mozilla to use a negative array index. This invalid memory use can be exploited to run code of the attacker's choice. The specific flaw exists within the routine RebuildConsideringRows() during the rebuilding the table tags. When the Mozilla engine attempts to fix the malformed table, an attacker is capable of triggering a memory corruption that can lead to code execution from user-supplied data.
This vulnerability allows attackers to execute arbitrary code on Mozilla/Firefox web browser and Thunderbird e-mail client. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious e-mail.

Affected Products:

Firefox 1.5 - 1.5.0.1
Firefox 1.0 - 1.0.7
Thunderbird 1.5 - 1.5.0.1
Thunderbird 1.0 - 1.0.7
SeaMonkey 1.0
Mozilla Suite 1.7 - 1.7.12
Possibly Netscape because both of those browsers share some of the same source code as Firefox.


Workaround

Upgrade to fixed version.
Although JavaScript is not involved in the vulnerability itself, disabling JavaScript may prevent an attacker from effectively preparing memory in order to carry out the exploit.

Vendor Response:

Mozilla has issued an update to correct this vulnerability. Further details are available at:
http://www.mozilla.org/security/announce/2006/mfsa2006-27.html

Disclosure Timeline:

2006.02.28 – Vulnerability reported to vendor
2006.04.24 – Public release of advisory