Bugtraq mailing list archives
Re: Ray Cromwell: Another Netscape Bug (and possible security
From: neil () legless demon co uk (Neil Woods)
Date: Thu, 28 Sep 1995 05:29:42 +0100
On my BSDI2.0 machine running Netscape 1.1N, this causes a segmentation fault and subsequent coredump. GDB reports nothing useable (stripped executable)I cannot reproduce this bug on the following platforms: Solaris 2.5 beta/Netscape 1.1NI've reproduced it fine under sol2.4 1.1N. The page I tested from is http://www.aloha.net/~newsham/test.html. Simply click on the long test url and core dump. (You can view source before clicking to see what you are clicking on if you dont trust me :)Howard Owen hbo () octel com Octel Communications Corporation 1024/DC671C31 =
Further investigation shows this is indeed a stack overwrite. However due to the window restore/save mechanism of the sparc, we're not able to overwrite the return address for this function. However, it may be possible to overwrite a return address from a previously flushed frame (this is architecture specific). The core dump obtained from this url, is due to passing two local pointers which have been overwritten. In order to progress further, these would need to point to valid addresses. Normally, these point to global or static buffers containing http:... strings. I hope this helps those who are developing exploits. Cheers, Neil -- Let the Mystery Be, So Watcha Want, Longing In Their Hearts, Hate My Way, M-Bike, Safari, Uncle June and Aunt Kiyoti, Daisy Dead Petals, Tuff Gnarl. ...like a badger with an afro throwing sparklers at the Pope...
Current thread:
- Ray Cromwell: Another Netscape Bug (and possible security hole) Perry E. Metzger (Sep 22)
- Re: Ray Cromwell: Another Netscape Bug (and possible security Howard B Owen (Sep 22)
- Re: Ray Cromwell: Another Netscape Bug (and possible security Jim Wright (Sep 22)
- Re: Ray Cromwell: Another Netscape Bug (and possible security Howard B Owen (Sep 29)
- Re: Ray Cromwell: Another Netscape Bug (and possible security Timothy Newsham (Sep 25)
- livingston.. *Hobbit* (Sep 26)
- Re: livingston.. Julian Assange (Sep 29)
- cisco enable passwords (was: Re: livingston.. ) David Carrel (Sep 29)
- Re: Ray Cromwell: Another Netscape Bug (and possible security Jim Wright (Sep 22)
- Re: Ray Cromwell: Another Netscape Bug (and possible security Neil Woods (Sep 27)
- Re: Ray Cromwell: Another Netscape Bug (and possible security Neil Woods (Sep 27)
- Re: Ray Cromwell: Another Netscape Bug (and possible security Howard B Owen (Sep 22)