Re: Buffer Overflows in Netscape6

[Robert van der Meulen <rvdm () CISTRON NL>]

Hi,

Just for the record, i tried these with mozilla on a Debian system:
<rvdm@Forty-Two:~> dpkg -l | grep mozilla
ii  mozilla        M18-3          An Open Source WWW browser for X and GTK+
<rvdm@Forty-Two:~>

Quoting Anders Ingeborn (ingeborn () IXSECURITY COM):
> Buffer Overflow  #1 occurs when a link of more than 996 digits is followed
> (i.e. http://996x'1&apos;). Netscape seems to assume this to be an IP-adress.
> The violation is at 0x60c2cb38. If the link is over 996 digits there are
> access violations on three other places (0x60650e4a, 0x60650e19 and
> 0x78001648). MOV- or AND-instructions.
No crash, usual error dialog. (Error loading URL)

> Buffer Overflow #2 occurs when a domain name link of 511 characters (or
> mixed characters/digits) is followed (i.e. www.511x'a'.com).
Same thing - no crash, error dialog.

> Buffer Overflow #3 did only occur once during our test. Netscape6 was
> trying to parse the link as a Ipv6 address and convert it to Ipv4 address
> and did crasch in a function named somethin like ipv6toipv4.
Could you explain what the link looked like, and the situation where it did
and didn't work ?

I tested mozilla on both problems with a 'fresh' browser, and after loading
some other ('short') url's as well.

Greets,
        Robert

--
                              Linux Generation
      If you can't learn to do it well, learn to enjoy doing it badly.