Re: Netscape communicator 4.06J, 4.5J-4.6J, 4.61e Buffer Overflow

[dap24 () BEER COM (David Parker)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I tried the 4 exploit test links, and they all crashed Netscape but
didn't cause any bluescreens or run any programs. I have win98,
Netscape 4.5 128-bit, and the same msvcrt.dll (6.00.8397). I'm not
sure how to debug the crashes, so I'm including the illegal operation
errors, hopefully they will be of some help:

(in the same order as the original links) --

NETSCAPE caused an invalid page fault in
module KERNEL32.DLL at 018f:bff87eb5.
Registers:
EAX=c00300ec CS=018f EIP=bff87eb5 EFLGS=00010202
EBX=00b3e54c SS=0197 ESP=00a3ffd0 EBP=00a4003c
ECX=00a401f0 DS=0197 ESI=817c0430 FS=19df
EDX=bff76859 ES=0197 EDI=00a40218 GS=0000
Bytes at CS:EIP:
53 56 57 8b 30 83 7d 10 01 8b 4e 38 89 4d f8 75
Stack dump:

NETSCAPE caused an invalid page fault in
module KERNEL32.DLL at 018f:bff87eb5.
Registers:
EAX=c00300ec CS=018f EIP=bff87eb5 EFLGS=00010202
EBX=00b3e54c SS=0197 ESP=00a3ffd0 EBP=00a4003c
ECX=00a401f0 DS=0197 ESI=817c9048 FS=1d0f
EDX=bff76859 ES=0197 EDI=00a40218 GS=0000
Bytes at CS:EIP:
53 56 57 8b 30 83 7d 10 01 8b 4e 38 89 4d f8 75
Stack dump:

NETSCAPE caused an invalid page fault in
module KERNEL32.DLL at 018f:bff7a06b.
Registers:
EAX=00b3f39c CS=018f EIP=bff7a06b EFLGS=00010246
EBX=00b3f39c SS=0197 ESP=00a4002c EBP=00a4004c
ECX=00a400d0 DS=0197 ESI=817c900c FS=1d0f
EDX=bff76859 ES=0197 EDI=00a400f8 GS=0000
Bytes at CS:EIP:
ff a6 c5 f7 bf ac c5 f7 bf ff ff ff ff be c5 f7
Stack dump:
bff7684d 00a400f8 00b3f39c 00a40114 00a400d0 00a40204 bff76859
00b3f39c 00a400e0 bff87fc0 00a400f8 00b3f39c 00a40114 00a400d0
bff7a06b 00a402bc

NETSCAPE caused an invalid page fault in
module KERNEL32.DLL at 018f:bff7a06b.
Registers:
EAX=00b3f39c CS=018f EIP=bff7a06b EFLGS=00010246
EBX=00b3f39c SS=0197 ESP=00a4002c EBP=00a4004c
ECX=00a400d0 DS=0197 ESI=817c6800 FS=1d0f
EDX=bff76859 ES=0197 EDI=00a400f8 GS=0000
Bytes at CS:EIP:
ff a6 c5 f7 bf ac c5 f7 bf ff ff ff ff be c5 f7
Stack dump:
bff7684d 00a400f8 00b3f39c 00a40114 00a400d0 00a40204 bff76859
00b3f39c 00a400e0 bff87fc0 00a400f8 00b3f39c 00a40114 00a400d0
bff7a06b 00a402bc

- -----
dap24 () beer com
http://neongoat.netpedia.net
PGP Key ID/Fingerprint:
 0xF90FFFE5  /  F362 51F7 6D51 85EB AF68 75B9 D29B 1AFC F90F FFE5
- -----

- -----Original Message-----
From: DEF CON ZERO WINDOW <defcon0 () UGTOP COM>
To: BUGTRAQ () SECURITYFOCUS COM <BUGTRAQ () SECURITYFOCUS COM>
Date: Friday, September 03, 1999 8:16 PM
Subject: Netscape communicator 4.06J, 4.5J-4.6J, 4.61e Buffer Overflow

> Hi,
>
> I discovered a buffer overflow bug which causes huge security hole
on the `Netscape communicator 4.06J, 4.5J - 4.6J, 4.61e( probably, a
version 3.0 after all )'.
> The problem of this application is in the handling of EMBED TAG, the
buffer overflow is caused if the long string is specified at
"pluginspage" option.
> I coded the exploit program to execute any command on the victim
machine. I tested on the Windows98.
> However, this program specifies immediately the address of the
system() function which is defined on the msvcrt.dll, this program
does not work on the Windows machine which is installed the other
version of msvcrt.dll (This program is for Version 6.00.8397).
> The reason that I specified the immediate address of the function is
the buffer which can be written the exploit code is very short, the
size of writable buffer is about 83 bytes. The buffer is too small to
put the code which gets the address of the functions which are defined
on the "msvcrt.dll".
> However, this problem will be solved if the code that searchs the
attack code and executes that code is put on the exploit code. The
attack code also can be written on the other buffer.
> # An attack code could be written in 2300 bytes to stack_bottom.
>
> The trojan or virus can be written on the attack code, this problem
is very serious.
> In this case, the stack pointer (ESP) when the overflow is caused
differs by the environment. So, the method of the RET address
overwrites can not be used to exploit. This example overwrites the
handling address of the access violation, the exploit code is called
when the access violation is caused. When the access violation is
caused, the address of the exploit buffer is stored in the EBX
register. So, I overwrite the handling address to the code that the
"JMP EBX" instruction is written.
> You can quickly test this exploit on my site. I have prepared some
versions of exploits that execute "welcome.exe" on your Windows98
machine. If you are user of the specified version of netscape, please
test. I did not code the exploit program for the WindowsNT and
Windows95, but they also contain same problem.
> ... and, This problem can't be avoided.
>
>
> [ exploit demo page ]
>
> exec "welcome.exe" - nc4x_ex.c
> http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_ex.cgi
>
> exec "notepad.exe"
> http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_ex2.cgi
>
> ---
>
> [ exploit test ]
>
> blue screen(int 01h)
> http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_bs01.htm
> http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_bs01.htm
>
>
> [ document(japanese) ]
> http://www.ugtop.com/defcon0/hc/nc4x_ex_demo.htm
>
>
> special thanks:
> UNYUN( The Shadow Penguin Security )
> http://shadowpenguin.backsection.net/
>
>
>
> --
> : R00t Zer0 -   http://www.ugtop.com/defcon0/index.htm           :
> : E-Mail: defcon0 () ugtop com                                      :
> : --                                                          -- :
> : "HP/UX is the worst OS for the hacker..." - Mark Abene         :
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2

iQA/AwUBN9CYJtKbGvz5D//lEQJ9ywCgibQit7j2zLT744YHxNBg6/6sMXkAoJ4m
KV7FQukDWwEHKdztvG3S0xP3
=g8zV
-----END PGP SIGNATURE-----