[11752] in bugtraq
Re: Netscape communicator 4.06J, 4.5J-4.6J, 4.61e Buffer Overflow
daemon@ATHENA.MIT.EDU (Kerb)
Wed Sep 8 18:35:39 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <01BEF8C9.9D9A4280.kerb@fnusa.com>
Date: Tue, 7 Sep 1999 00:40:41 -0500
Reply-To: Kerb <kerb@FNUSA.COM>
From: Kerb <kerb@FNUSA.COM>
X-To: "bugtraq@securityfocus.com" <bugtraq@securityfocus.com>
To: BUGTRAQ@SECURITYFOCUS.COM
I tried the URL for the notepad.exe on a Windows 95 (4.00.950a) machine,
Pentium II 266 w/ 56 MB of RAM,
using Netscape Communicator 4.05 Preview Release 1 (AWT 1.1.5) even though
these are coded for Win98. When I went
there with NC 4.05, it gave me a blue screen of death that was completely
unrecoverable. I had to reboot the system.
So, basically, it is a DoS for Netscape users, could possibly be coded into a
CGI or Javascript that checks browser
version and writes the corresponding exploit code. Just a thought.
-Kerb
On Thursday, September 02, 1999 9:46 AM, DEF CON ZERO WINDOW
[SMTP:defcon0@UGTOP.COM] wrote:
: Hi,
:
: I discovered a buffer overflow bug which causes huge security hole on the
: `Netscape communicator 4.06J, 4.5J - 4.6J, 4.61e( probably, a version 3.0
: after all )'.
:
: The problem of this application is in the handling of EMBED TAG, the buffer
: overflow is caused if the long string is specified at "pluginspage" option.
: I coded the exploit program to execute any command on the victim machine. I
: tested on the Windows98.
:
: However, this program specifies immediately the address of the system()
: function which is defined on the msvcrt.dll, this program does not work on
: the Windows machine which is installed the other version of msvcrt.dll (This
: program is for Version 6.00.8397).
:
: The reason that I specified the immediate address of the function is the
: buffer which can be written the exploit code is very short, the size of
: writable buffer is about 83 bytes. The buffer is too small to put the code
: which gets the address of the functions which are defined on the
: "msvcrt.dll".
:
: However, this problem will be solved if the code that searchs the attack
code
: and executes that code is put on the exploit code. The attack code also can
: be written on the other buffer.
:
: # An attack code could be written in 2300 bytes to stack_bottom.
:
: The trojan or virus can be written on the attack code, this problem is very
: serious.
:
: In this case, the stack pointer (ESP) when the overflow is caused differs by
: the environment. So, the method of the RET address overwrites can not be
used
: to exploit. This example overwrites the handling address of the access
: violation, the exploit code is called when the access violation is caused.
: When the access violation is caused, the address of the exploit buffer is
: stored in the EBX register. So, I overwrite the handling address to the code
: that the "JMP EBX" instruction is written.
:
: You can quickly test this exploit on my site. I have prepared some versions
: of exploits that execute "welcome.exe" on your Windows98 machine. If you are
: user of the specified version of netscape, please test. I did not code the
: exploit program for the WindowsNT and Windows95, but they also contain same
: problem.
:
: .. and, This problem can't be avoided.
:
:
: [ exploit demo page ]
:
: exec "welcome.exe" - nc4x_ex.c
: http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_ex.cgi
:
: exec "notepad.exe"
: http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_ex2.cgi
:
: ---
:
: [ exploit test ]
:
: blue screen(int 01h)
: http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_bs01.htm
: http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_bs01.htm
:
:
: [ document(japanese) ]
: http://www.ugtop.com/defcon0/hc/nc4x_ex_demo.htm
:
:
: special thanks:
: UNYUN( The Shadow Penguin Security )
: http://shadowpenguin.backsection.net/
:
:
:
: --
: : R00t Zer0 - http://www.ugtop.com/defcon0/index.htm :
: : E-Mail: defcon0@ugtop.com :
: : -- -- :
: : "HP/UX is the worst OS for the hacker..." - Mark Abene :
