This week I audited the new Mozilla PRISM what is usually called as a secure browser engine & used by a lot of software(Zimbra|Desktop). Prism is an application that lets users split web applications out of their browser and run them directly on their desktop in a secure mode. Mozilla Developers have produced 1 application (standalone)of Prism what is stable running & 1 addon for Mozilla Fireox browser.

The goal to beat the high challenge is to find a Z0D vulnerability in the Prism software of Mozilla.

Product URL: https://mozillalabs.com/prism/
Download URL: http://prism.mozilla.com/started/

Ever when we start to audit software like that, we first test the restricted string-size of inputs. This attack is one of the most basic methods to overflow with inserted over-sized(large) strings like URL’s or Words. After we tested the restriction string-size of the URL/Name GE-TEAM discovers a stack buffer-overflow vulnerability for Prism v1.0b2 mozilla application + FireFox addon.

Affected Versions:
Prism – STANDALONE APPLICATION (v1.0b2)
Prism Firefox Extension – FIREFOX ADDON (v1.0b2)

Windows Vista BEX(Overflow) Error Message on Prism Addon Firefox …

Problemereignisame:    BEX
Anwendungsname:        firefox.exe
Anwendungsversion:    1.9.1.3593
Anwendungszeitstempel:    4aef8082
Fehlermodulname:    StackHash_0c1c
Fehlermodulversion:    0.0.0.0
Fehlermodulzeitstempel:    00000000
Ausnahmeoffset:        41414141
Ausnahmecode:        c0000005
Ausnahmedaten:        00000008
Betriebsystemversion:    6.0.6002.2.2.0.768.3
Gebietsschema-ID:    1031
Zusatzinformation 1:    0c1c
Zusatzinformation 2:    02e5e7938cbdf4517280afd626c56a15
Zusatzinformation 3:    4f6a
Zusatzinformation 4:    e8605fe6e21ad013004e473d591fd489

Windows Vista BEX(Overflow) Error Message on Prism Application(STANDALONE)

Problemereignisame:    BEX
Anwendungsname:        prism.exe
Anwendungsversion:    1.9.2.3477
Anwendungszeitstempel:    4a565337
Fehlermodulname:    MOZCRT19.dll
Fehlermodulversion:    8.0.0.0
Fehlermodulzeitstempel:    4a542beb
Ausnahmecode:        c0000005
Ausnahmeoffset:        0001838a
Betriebsystemversion:    6.0.6002.2.2.0.768.3
Gebietsschema-ID:    1031
Zusatzinformation 1:    0ae2
Zusatzinformation 2:    a1f9523330457d36593f6e0b3438b757
Zusatzinformation 3:    677b
Zusatzinformation 4:    e391b47c6bb6b6f2db80d1a37eb89949

… now a reproduced errors with AAAAA…+ by Windows Vista BEX(Overflow) Error Message on Prism Application(STANDALONE)

Problemereignisname:        BEX
Anwendungsname:        prism.exe
Anwendungsversion:        1.9.0.3405
Anwendungszeitstempel:    49f89f9d
Fehlermodulname:        StackHash_1477
Fehlermodulversion:        0.0.0.0
Fehlermodulzeitstempel:    00000000
Ausnahmeoffset:        00414141
Ausnahmecode:            c0000005
Ausnahmedaten:        00000008
Betriebsystemversion:        6.0.6002.2.2.0.768.3
Gebietsschema-ID:        1031
Zusatzinformation 1:        1477
Zusatzinformation 2:        528bb57b980c1da9bf8c456a3876b4b2
Zusatzinformation 3:        22f3
Zusatzinformation 4:        05475e8449807bb817c3945e60bda828

Due to the lack of the unrestricted URL/Name size it is possible for attackers to get the privileges of the running process. The risk of the vulnerability is estimated as high. The vulnerability is reported to Mozilla Developer-Team & verified + analysed over Compass Security. We produced a video about the verification of the vulnerability & some low views around the test start …

Startup: 2009-06-13
Verified: 03.12.2009
Challenge: Hacking Secure Browser | Mozilla Prism
Lab URL: https://www.hacking-lab.com/ranking/event.html?eventid=43

We produced a little video about the vulnerability & some low views around the restricted input tests + errors … click the picture to view the a part of the test video …

The vulnerability is reported & not published via advisory because of fix/patch status. The Full advisory follows in this posting next weeks. We wish all readers, partners & nerds happy x-mas & a good h4ck in the new year 2010.

[Writer: ~remove]