Information Assurance

Allie Candido


front | classes | research | personal | contact

Information Assurance

Bugtraq Analysis

GIF Heap Overflow in Firefox

back to bugtraq analyses page

The Problem:

The Firefox web browser has the ability to display GIF images, which are animations that allow for multiple images to be layered on top of each other to create a moving image. Every time a new image is presented, a new color-map is stored in memory for that particular image. This is handled in the switch statement of the code with the case "libpr0n" which is the GIF parser in Firefox. The problem in this exploit is that the memory space of previously displayed images is not deallocated in the heap space, so an attacker could create images until the heap meets the stack in memory. The attacker can get the victim to load a webpage with a malicious image on it, usually through phishing, social engineering, or encoding malicious images in compromised but trusted sights. Then s/he can encode malicious code into the image maps and when the heap becomes so full that it meets the stack, rewrite the return address at the top of the to execute the malicious code. The attacker can then gain the priviledges of the user.

What Could Have Prevented This:

This could be prevented by deallocating the memory space used to store images that have already displayed in the browers. This would not allow the overflow to occur, thus thwarting the whole exploit.

Workaround:

A workaround for this could be to shut off the option for Firefox to automatically show images. This is done with "Edit->Preference->Content" and then unchecking the box that says "Load images automatically." If images are not automatically loaded, then the user can decide if s/he trusts the image before loading it.

Prevention in the future:

In Firefox 3.5.4, Mozilla has released a patch that corrects the memory allocation.

Sources:
http://www.securiteam.com/securitynews/6S00M2KPPS.html http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=830