Check Point Reference: | CPAI-2004-163 |
Date Published: | 15 Mar 2010 |
Severity: | Medium |
Last Updated: | Thursday 11 August, 2016 |
Source: | |
Industry Reference: | CVE-2004-0722 |
Protection Provided by: |
Security Gateway |
Who is Vulnerable? | |
Vulnerability Description | Simple Object Access Protocol (SOAP) is an XML based protocol which allows for an easy exchange of information over the Internet. It is commonly used for building web services. Mozilla has built-in SOAP support, provided through a JavaScript interface for a series of objects designed to create, send, and receive SOAP messages. A vulnerability exists in several versions of the Mozilla and Netscape browsers' implementation of the Simple Object Access Protocol (SOAP). A specially crafted HTML page containing script code that leverages this vulnerability can allow an attacker to crash a client's browser application, or potentially introduce arbitrary code into the process flow, compromising the system. In a simple denial of service attack case, the affected web browser will crash upon opening the malicious HTML page. Similarly, the vulnerable mail client will crash upon opening or previewing the malicious HTML mail. If an attacker performs a more completed code injection attack, then the behavior of the target is dependant entirely on the injected code. Experiments show that the behavior of the vulnerable products differ on Linux with regards to the excessively large array that is passed into the constructor SOAPParameter. This large array can be created with a large size (e.g., new Array(...)) or resized to a large size by a large index (e.g., arrayObject[index] = ...). On Linux, Mozilla will attempt to allocate all the elements of the array. First, there is a long wait in Mozilla as it tries to allocate a large array. Second, since the malicious script is attempting to create an array that is over 1 gigabyte in memory, an average system will run out of memory. The Linux operating system will terminate the Mozilla process because of the out of memory condition. As such, the vulnerability is never triggered. |
This protection will detect and block attempts to exploit this vulnerability.
In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.
This protection's log will contain the following information:
Attack Name: Web Client Enforcement Violation.
Attack Information: Mozilla SOAPParameter Integer Overflow