Title: Netscape GIF Image Netscape Extension 2 Buffer Overflow
Criticality: High
Affected software: Netscape 6/7 and K-Meleon web browser
Non-affected: Netscape Browser 8.0 and newer (since 19th May, 2005)
Platforms tested: Windows XP Professional US
Author: Juha-Matti Laurio info [at] networksecurity.fi, juha-matti.laurio [at] netti.fi
Date: 23rd April, 2005
Advisory ID: N/A (#2)
Location URL: http://www.networksecurity.fi/advisories/netscape-gif.html (HTML)
CVE reference: CAN-2005-0399 assigned for Mozilla Suite and Mozilla Firefox,
check http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0399 for an updated version
Overview:
A new remote type vulnerability has been reported in Netscape and K-Meleon, which can be exploited by malicious people to compromise a user's system.
Details:
Vulnerability allows remote attackers to execute arbitrary code via a Netscape extension 2 (GIF2.cpp). This library is used in Mozilla Firefox, Mozilla Suite, Netscape and K-Meleon browsers. Same Netscape extension 2 is used in Mozilla Thunderbird e-mail client too.
A boundary error in the GIF image processing module can be exploited to cause a heap-based buffer overflow via a specially crafted .GIF image.
This is a buffer overflow vulnerability.
Result:
Browser crashed and the following dialog box was appeared:
"Netscp.exe has encountered a problem and needs to close. We are sorry for the inconvenience.
If you were in the middle of something, the information you were working on might be lost.
For more information about this error, [click here].
[Close]"
K-Meleon web browser is affected too due to codebase similarity.
K-Meleon developer team has confirmed the vulnerability. It is possible to update a recent K-Meleon's Gecko engine using an "up-to-date" Mozilla Suite 1.7.7 nightly version. Mozilla versions 1.7.6 and later are immune to this issue. This is not tested by the researcher, however.
Download link:
http://rapidshare.de/files/1388299/K-Meleon0.9-GRE-1.7.7-modified-2.zip.html
K-Meleon Roadmap has planned to publish version 0.9.5 based to Mozilla 1.8 codebase later.
Tested software versions:
Netscape 7.2
Exact user-agent in use:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)
Netscape 6.2.3
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:0.9.4.1) Gecko/20020508 Netscape6/6.2.3
K-Meleon
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041220 K-Meleon/0.9
Solution:
It is recommended to use another web browser (Firefox 1.0.3 is not affected). If this is not possible, the following workaround is provided by the researcher:
Workaround:
Disable GIF image support:
Edit / Preferences... / Advanced / System: Remove selection from GIF images at 'Windows should use Netscape to open these file type'.
Select 'OK' to save changes.
Do not open GIF images from untrusted sources.
This workaround is tested by the researcher.
Updated: Update to version Netscape Browser 8.0 or newer:
browser.netscape.com/ns8/download/default.jsp
References:
secunia.com/advisories/15103/
www.mozilla.org/security/announce/mfsa2005-30.html
bugzilla.mozilla.org/show_bug.cgi?id=285595
www.ficora.fi/suomi/tietoturva/varoitukset/varoitus-2005-28.htm (in Finnish)
Timeline:
23-04-2005 Vulnerability discovered
23-04-2005 Vendor (Netscape Communications) contacted
23-04-2005 Security companies informed
25-04-2005 Link to Proof of Concept sample .GIF picture sent to security companies
This PoC file will not be published in the future.
25-04-2005 Security companies informed Netscape 6.2.3 being affected as well
26-04-2005 More security companies and CERT-FI informed
26-04-2005 Vendor (K-Meleon developer team) informed
26-04-2005 Advisory published
26-04-2005 Security companies informed K-Meleon 0.9 being affected as well
19-05-2005 Vendor issues fix. Security companies and CERT-FI informed about Netscape 8.0 release.
CERT Finland released an updated advisory (see References)
20-05-2005 New tests done with Netscape 8.0.1.
21-05-2005 More security companies informed
Revision history:
04-05-2005 1.0: Researcher's advisory published
18-05-2005 1.1: Updated advisory and added more information about K-Meleon
19-05-2005 1.2: Netscape 8.0 released. Updated advisory
20-05-2005 1.3: Netscape 8.0.1 released. Updated advisory
21-05-2005 1.4: Updated advisory
To the Main Page
Copyright © Networksecurity.fi and Juha-Matti Laurio 2005
Best regards,
Juha-Matti Laurio
IT security researcher
Finland
www.networksecurity.fi