Title: Netscape/K-Meleon overly long History.dat document.title field Denial of Service vulnerability
Criticality: Medium (2/3)
Affected software: Netscape versions 8.0.4 and 7.2 and K-Meleon version 0.9 and prior
Type: Remote vulnerability
Author: Juha-Matti Laurio info [at] networksecurity.fi, juha-matti.laurio [at] netti.fi
Date: 8th December, 2005
Advisory ID: Networksecurity.fi Security Advisory (08-12-2005) (#13)
Location URL: http://www.networksecurity.fi/advisories/netscape-history.html
CVE reference: CVE-2005-4134
CVSS Severity: 5 (Medium)
* Note: This advisory includes additional profile-related information *
- Description:
Netscape Browser version 8.0.4 and Netscape 7.2 are confirmed as affected to Denial of Service vulnerability related to remarkable large History.dat file generating.
The vulnerability is caused due to a design error when handling profile-specific URL history files (History.dat) by setting a remarkable large topic entry, i.e. document.title field to History.dat file.
This can be exploited by malicious people to cause a Denial of Service state by persuating user to visit a specially crafted Web page.
Exaggerating a History.dat file as described earlier prevents browser usage at the next time when it is opened. This is due to browser crash and a buffer overflow state.
User have to delete generated History.dat file manually when browser is closed and file is not in use. This process removes the browsing history too.
NOTE: If QuickLaunch feature is in use, it prevents the removing of History.dat file. Exit QuickLaunch icon before deleting the file.
K-Meleon browser is affected due to same Gecko-codebase (based to Mozilla Suite 1.7.5). History.txt is K-Meleon project's implementation about Gecko-based History.dat file.
Earlier the newest versions of Mozilla Firefox and Mozilla Suite (reports from 8th Dec) were reported as affected to this issue.
- Detailed description:
A) Netscape test results:
- History.dat file information in profile folder before visiting PoC test page:
C:\Documents and Settings\[removed]\Application Data\Netscape\NSB\Profiles\[changed].default
7.46 kB
[removed] = Windows username, removed for security and privacy reasons
[changed] = random "salted" string of eight characters, changed for security and privacy reasons
After clicking "CLICK ME" link increased hard disk usage was a sign about generating a History.dat file of several megabytes.
Browser Status Bar text before selecting a link: javascript:ex();
The overlong document.title field was a string of letters 'A' (see Tab Bar). The number of characters used is over 2.5 millions (5000 x 5000).
Browser window title and Windows Task Bar can't show this title field mentioned at all. However, the History window can show this title field (opened to Windows Task Bar or to My Sidebar).
See the following screenshot picture for details:
http://www.networksecurity.fi/advisories/NS804_History_Title_field.bmp
- History.dat file information in profile folder after re-opening the browser:
C:\Documents and Settings\[removed]\Application Data\Netscape\NSB\Profiles\[changed].default
9.92 MB
The CPU usage raised remarkable, browser went to Not responding state and was forced to kill with Windows Task Manager.
History.dat file was deleted manually with Windows Explorer from the "salted" profile directory and browser was started again. However, this was not needed every time when tested.
Browser started normally after deleting the History.dat file.
Sample content of the History.dat file after visiting PoC page:
---clip---
47D
=http://www.networksecurity.fi/poc/sample071205.html)(47E
=1133985864109375)(47F=networksecurity.fi)>
{1:^80 {(k^81:c)(s=9)[1(^82^80)(^84^480)(^85^81)(^88^82)(^87^83)(^86=33)]}
1
[3(^82^86)(^84^480)(^85^81)(^88^87)(^87^88)(^86=33)]
[6(^82^90)(^84^421)(^85^8A)(^88^91)(^89=1)(^87^92)(^86=25)]
---clip---
(^87
=A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A\
$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00\
A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00A$00\
The rest of the file was filled with the same 'A$00' string.
Browsing history file History.dat was known as Netscape.hst in older Netscape versions.
NOTE: The location of History.dat file is different in Netscape 7.2:
C:\Documents and Settings\[removed]\Application Data\Mozilla\Profiles\default\[changed].slt
B) K-Meleon test results:
- History.txt file information in application folder before visiting PoC page:
C:\Program Files\K-Meleon\Profiles\default\[changed].slt
208 bytes
After clicking "CLICK ME" link browser was crashed immediately generating Application Error as well.
- History.txt file information in profile folder after re-opening the browser:
C:\Program Files\K-Meleon\Profiles\default\[changed].slt
None History.txt file exists
This can be exploited by malicious people to cause a Denial of Service state (browser crash) by persuating user to visit a specially crafted Web page.
Generating a History.txt file entry described earlier generates DoS state and browser crash immediately when malicious page is visited.
Test said History.txt file was broken and automatically deleted due to topics entry generating process in "salted" profile directory under application directory.
New History.txt file with zero bytes and no contents was generated automatically by new browser start.
From the vendors:
"Speed, Flexibility and More Security Choices Than Any Other Browser. The revolutionary new Netscape Browser 8 provides more security options, streamlines more standard browsing tasks and arms internet users with more timesaving solutions to their browsing needs than any other browser."
"K-Meleon - The Browser You Control. K-Meleon is an extremely fast, customizable, lightweight web browser for the win32 (Windows) platform based on the Gecko layout engine (the rendering engine of Mozilla). K-Meleon is free, open source software released under the GNU General Public License.
Welcome to K-Meleon 0.9.12 ! - New official version
This is the original 0.9 version, updated to Mozilla 1.7.12 Standard(Gecko/20051126) with some additional features."
- Affected versions:
The vulnerability has been confirmed in versions 8.0.4 and 7.2 in Netscape and version 0.9 in K-Meleon. Other previous versions may also be affected.
User agent versions tested:
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20051012 Netscape/8.0.4
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.2) Gecko/20040804 Netscape/7.2 (ax)
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041220 K-Meleon/0.9
Software:
Netscape 8.x
Netscape 7.x
K-Meleon 0.x
- OS:
Microsoft Windows
Tests was done with Microsoft Windows 2000 Professional SP4 fully patched.
Vendor and vendor Home Pages:
A) Netscape Communications Corp.
www.netscape.com/
B) K-Meleon Project
kmeleon.sourceforge.net/
Product Home Pages:
browser.netscape.com/ns8/
channels.netscape.com/ns/browsers/default.jsp
kmeleon.sourceforge.net/
Vendors were contacted on 7th December, 2005.
Solution status:
K-Meleon Project has issued a fixed K-Meleon version 0.9.12 on 10th January, 2006.
Netscape Communications Corp. has issued a fixed Netscape version 8.1 on 25th January, 2006.
Workarounds:
Update: Add the following line to prefs.js file in profile folder:
user_pref("capability.policy.default.HTMLDocument.title.set","noAccess");
This prevents adding title fields to the History.
Disable JavaScript support from options or Preferences.
Additionally, it is possible to delete History.dat file from profile folder manually or via script when browser is closed.
References:
kmeleon.sourceforge.net/wiki/index.php?id=ReleaseNotes0912#new
www.secunia.com/advisories/17946/
www.osvdb.org/displayvuln.php?osvdb_id=21533
www.securityfocus.com/bid/15773
www.secwatch.org/advisories/1012401/
www.addict3d.org/index.php?page=viewarticle&type=security&ID=5509
Original PoC and summary from ZIPLOCK (txt file):
www.packetstormsecurity.org/0512-exploits/firefox-1.5-buffer-overflow.txt
Networksecurity.fi online PoC page for test purposes only:
www.networksecurity.fi/poc/sample071205.html
Description of the history.dat file in Gecko browsers:
Juha-Matti Laurio: Mozilla - Netscape 7 (1993) p. 123,171 ISBN: 952-91-6457-2
Mozilla.org: "Locate your profile folder":
www.mozilla.org/support/firefox/edit#profile
CVE information:
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4134
CVSS (Common Vulnerability Scoring System) Severity level:
5 (Medium)
Credit information:
This issue was originally researched in Firefox 1.5 by ZIPLOCK (sickbeatz [at] gmail.com).
PoC code is done by ZIPLOCK.
Juha-Matti Laurio confirmed this vulnerability in Netscape and K-Meleon and has written this analysis.
Timeline:
07-Dec-2005 - Vulnerability researched and confirmed
07-Dec-2005 - Vendors contacted
07-Dec-2005 - Security companies and several CERT units contacted
07-Dec-2005 - Vendor's reply (K-Meleon developers)
08-Dec-2005 - Vulnerability confirmed in Netscape 7.2
08-Dec-2005 - Advisory published
08-Dec-2005 - Link to the published advisory sent to security companies and several CERT units
10-Jan-2006 - Vendor issues fixed K-Meleon version 0.9.12, fix confirmed
12-Jan-2006 - Security companies and CERT units informed about fixed K-Meleon version 0.9.12
13-Jan-2006 - Mitre.org, NVD, more security companies and CERT units contacted
25-Jan-2006 - Vendor issues fixed Netscape Browser version 8.1, fix confirmed
26-Jan-2006 - Mitre.org, security companies and CERT units informed about fixed Netscape Browser version 8.1
Revision history:
08-12-2005 1.0: Advisory published
08-12-2005 1.1: Updated advisory and added new references
09-12-2005 1.2: Updated advisory
09-12-2005 1.3: Updated advisory by adding new workaround, reference, new CVE and CVSS (Common Vulnerability Scoring System) severity level
12-01-2006 1.4: Updated advisory by adding information about fixed K-Meleon version 0.9.12
25-01-2006 1.5: Updated advisory by adding information about fixed Netscape Browser version 8.1
26-01-2006 1.6: Updated advisory
Local Finnish time is used.
Best regards,
Juha-Matti Laurio
security researcher
Finland
Copyright © Networksecurity.fi and Juha-Matti Laurio 2005-2006
- To the Main Page
Read more about 54 other security vulnerabilities at
www.networksecurity.fi