• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Mozilla Browser Non-ASCII Hostname Heap Overflow Vulnerability

Severity: HIGH

Description:

Mozilla is prone to a remotely exploitable heap overflow that is exposed when the browser handles non-ASCII characters in URIs.

This vulnerability occurs when UTF-8 conversion for a hostname containing non-ASCII characters fails but erroneously returns successful. This will cause an internal variable, approxLen to incremented by 0 instead of by the value of strlen(mHost). Subsequently, a buffer will be allocated based on approxLen + 32. This destination buffer is too small to contain the source data (mHost) that will be copied into it, exposing a buffer overflow. This could permit user-supplied data to corrupt adjacent regions of heap memory, potentially allowing for execution of arbitrary code.

This issue could be exploited by enticing a user to open a hyperlink that references a malicious URI. Successful exploitation would permit remote compromise in the context of the client user.

**Update: It is reported that this vulnerability also affects Netscape 7.2 for Microsoft Windows platforms; other versions might also be affected.

Affected Products:

• Mozilla Browser 1.7.0
• Mozilla Browser 1.7.0 rc3
• Mozilla Browser 1.7.1
• Mozilla Browser 1.7.2
• Mozilla Firefox 0.8.0
• Mozilla Firefox 0.9.0
• Mozilla Firefox 0.9.0 rc
• Mozilla Firefox 0.9.1
• Mozilla Firefox 0.9.2
• Mozilla Firefox 0.9.3
• Mozilla Thunderbird 0.6.0
• Mozilla Thunderbird 0.7.0
• Mozilla Thunderbird 0.7.1
• Mozilla Thunderbird 0.7.2
• Mozilla Thunderbird 0.7.3
• Netscape Navigator 7.0.0
• Netscape Navigator 7.0.2
• Netscape Navigator 7.1.0
• Netscape Navigator 7.2.0

References:

• Mozilla: Bugzilla Bug 250900 nsIBrowserHistory corrupts URI strings
• Mozilla: Bugzilla Bug 256316 non-ascii char in URL lead to heap overrun
• US-CERT: VU#808216 - Mozilla contains heap overflow in UTF8 conversion of hostname portio

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.