Mozilla properly fuzzed NSS and still ended up with a simple memory corruption hole


Mozilla logo

When it comes to fuzzing, Mozilla has plenty of cred, and has been doing so for some time, and yet, its prized Network Security Services (NSS) library was busted by Google Project Zero’s Tavis Ormandy quite easily.

In a blog post well worth your time, entitled This shouldn’t have happened, Ormandy found that if NSS was made to create an ASN.1 signature bigger than the maximum 16384 bits it expected, overwriting of memory would occur.

“What happens if you just … make a signature that’s bigger than that? Well, it turns out the answer is memory corruption. Yes, really,” Ormandy wrote.

“The untrusted signature is simply copied into this fixed-sized buffer, overwriting adjacent members with arbitrary attacker-controlled data. The bug is simple to reproduce and affects multiple algorithms.”

Read more…