Vulnerability Development mailing list archives
Re: Buffer Overflows in Netscape6
From: Robert van der Meulen <rvdm () CISTRON NL>
Date: Thu, 25 Jan 2001 18:46:32 +0100
Hi, Just for the record, i tried these with mozilla on a Debian system: <rvdm@Forty-Two:~> dpkg -l | grep mozilla ii mozilla M18-3 An Open Source WWW browser for X and GTK+ <rvdm@Forty-Two:~> Quoting Anders Ingeborn (ingeborn () IXSECURITY COM):
Buffer Overflow #1 occurs when a link of more than 996 digits is followed (i.e. http://996x'1'). Netscape seems to assume this to be an IP-adress. The violation is at 0x60c2cb38. If the link is over 996 digits there are access violations on three other places (0x60650e4a, 0x60650e19 and 0x78001648). MOV- or AND-instructions.
No crash, usual error dialog. (Error loading URL)
Buffer Overflow #2 occurs when a domain name link of 511 characters (or mixed characters/digits) is followed (i.e. www.511x'a'.com).
Same thing - no crash, error dialog.
Buffer Overflow #3 did only occur once during our test. Netscape6 was trying to parse the link as a Ipv6 address and convert it to Ipv4 address and did crasch in a function named somethin like ipv6toipv4.
Could you explain what the link looked like, and the situation where it did and didn't work ? I tested mozilla on both problems with a 'fresh' browser, and after loading some other ('short') url's as well. Greets, Robert -- Linux Generation If you can't learn to do it well, learn to enjoy doing it badly.
Current thread:
- Buffer Overflows in Netscape6 Anders Ingeborn (Jan 25)
- Re: Buffer Overflows in Netscape6 Robert van der Meulen (Jan 25)