Mozilla 1.7.2 non-ascii hostname heap overrun
---------------------------------------------

More information about this bug, including a sample exploit (crash
only) can be found at the bugzilla entry here:

http://bugzilla.mozilla.org/show_bug.cgi?id=256316


How to reproduce:
- put a non-ascii character in a long hostname in an url. Ex:
  http://AAAAAAAAAAAAAAèAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
  (try different lengths)
- the UTF8 conversion of the hostname is called and fails, but returns
  a SUCCESS error code. So the variable  approxLen is incremented by
  0 instead of strlen(mHost)  (this is the bug)
- a buffer is allocated with length  approxLen + 32 (which is
  too short)
- then mHost is copied into this buffer --> BUFFER OVERFLOW ON THE HEAP
  WITH ARBITRARY DATA SUPPLIED IN THE HOSTNAME BY THE ATTACKER


I verified that on Windows systems, the bug leads to MOV [EAX], ECX
where we control EAX and ECX (0x41414141), which is the common 
situation in exploitable heap overflows.

I think all OSes are vulnerable, and that this bug can be exploited
when viewing a website or when clicking on a link in an email.


Gaël Delalleau


The original version of this document can be found at:
http://www.zencomsec.com/advisories/mozilla-1.7.2-UTF8link.txt