[18761] in bugtraq
Re: Buffer Overflow still exists in Netscape <= 4.76
daemon@ATHENA.MIT.EDU (Henryk =?iso-8859-1?Q?Pl=F6tz?=)
Tue Jan 23 16:25:32 2001
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=sha1; boundary="------------msDAA5FE3AD6352A04165FDFA4"
Message-Id: <3A6D8764.A1AAD069@gmx.de>
Date: Tue, 23 Jan 2001 14:30:12 +0100
Reply-To: Henryk =?iso-8859-1?Q?Pl=F6tz?= <HenrykPloetz@GMX.DE>
From: Henryk =?iso-8859-1?Q?Pl=F6tz?= <HenrykPloetz@GMX.DE>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a cryptographically signed message in MIME format.
--------------msDAA5FE3AD6352A04165FDFA4
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Hi fish stiqz,
Well, after reading you first message regarding this, I tried your
tool and loaded a page with 20000 A's into my netscape and it crashed
the same moment. Impressive.
So, I decided to try this again and see, whether I could reproduce
the different behavior with different sizes you wrote about.
I started with 1000 A's and gradually increased it, always hitting
reload after i generated a new file. And ... nothing happened.
I tried hitting reload multiple times, hitting shift+reload and
viewing the source and apart from the time it took to load big pages,
absolutely nothing changed. When I got a file with 1M A's and still
nothing happened, I loaded this file into a newly opened window and ...
crash.
So I tried this again and, if you first generate a page with a form
that only has 1000 or so A's, then change that file to have much more
A's and only hit reload (Not open a new window and open the file there,
or hit Back - Forward in the history) it won't crash.
Another thing to note: it crashes after loading all the A's but not
before reaching End-Of-File.
I'm not using a rpm but got the binary from netscape (well, I think
so):
$ md5sum netscape-4.76.tgz
577f4545020a6bcbd016db549fa16f61 netscape-4.76.tgz
And yet two other notes:
In this part of the universe netscape dies of SIGBUS and not SIGSEGV
(see gdb-dump at the end of this posting)
I also tried a file with 20M A's and the only thing that I noticed was a
significant decrease in loading speed after loading some 34% or so.
> Exactly what did you do that it didn't segfault on you? In all my tests
> Netscape has died either as soon as the page loads or as soon as you try
> to go somewhere else (or reload).
Maybe Frank did what I did, as my Netscape really won't die of
anything when using a small file first.
$ gdb netscape core
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for
details.
This GDB was configured as "i686-pc-linux-gnu"...(no debugging symbols
found)...
Core was generated by `netscape crash.htm'.
Program terminated with signal 7, Bus error.
Reading symbols from /lib/libBrokenLocale.so.1...done.
Loaded symbols for /lib/libBrokenLocale.so.1
Reading symbols from /usr/X11R6/lib/libXt.so.6...done.
Loaded symbols for /usr/X11R6/lib/libXt.so.6
Reading symbols from /usr/X11R6/lib/libSM.so.6...done.
Loaded symbols for /usr/X11R6/lib/libSM.so.6
Reading symbols from /usr/X11R6/lib/libICE.so.6...done.
Loaded symbols for /usr/X11R6/lib/libICE.so.6
Reading symbols from /usr/X11R6/lib/libXmu.so.6...done.
Loaded symbols for /usr/X11R6/lib/libXmu.so.6
Reading symbols from /usr/X11R6/lib/libXpm.so.4...done.
Loaded symbols for /usr/X11R6/lib/libXpm.so.4
Reading symbols from /usr/X11R6/lib/libXext.so.6...done.
Loaded symbols for /usr/X11R6/lib/libXext.so.6
Reading symbols from /usr/X11R6/lib/libX11.so.6...done.
Loaded symbols for /usr/X11R6/lib/libX11.so.6
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /usr/lib/libstdc++-libc6.1-1.so.2...done.
Loaded symbols for /usr/lib/libstdc++-libc6.1-1.so.2
Reading symbols from /lib/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libnss_dns.so.2...done.
Loaded symbols for /lib/libnss_dns.so.2
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
#0 0x401fca71 in __kill () from /lib/libc.so.6
(gdb) bt
#0 0x401fca71 in __kill () from /lib/libc.so.6
#1 0x8940170 in PR_ClearPendingException ()
#2 <signal handler called>
#3 0x4022c68e in _IO_sgetn (fp=0x92b9700, data=0x8ebd000, n=4096) at
genops.c:431
#4 0x40227c03 in _IO_fread (buf=0x8ebd000, size=1, count=4096,
fp=0x92b9700) at iofread.c:42
#5 0x83d2ed1 in cache_DBDataToExtCacheDBInfoStruct ()
#6 0x83d3d26 in NET_ProcessFile ()
#7 0x83dd2d7 in NET_ProcessNet ()
#8 0x82ce0ab in fe_GetSecondaryURL ()
#9 0x4003d3a1 in XtAppProcessEvent () from /usr/X11R6/lib/libXt.so.6
#10 0x82bd5cc in fe_EventLoop ()
#11 0x82bffc5 in main ()
#12 0x401f6a5e in __libc_start_main (main=0x82be7a4 <main>, argc=2,
argv=0xbffff874, init=0x827f548 <_init>, fini=0x894914c <_fini>,
rtld_fini=0x4000aa20 <_dl_fini>,
stack_end=0xbffff86c) at ../sysdeps/generic/libc-start.c:92
--
Henryk Plvtz
Gr|_e von der Ostsee
--------------msDAA5FE3AD6352A04165FDFA4
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIIOiAYJKoZIhvcNAQcCoIIOeTCCDnUCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
DEwwggUHMIID76ADAgECAgMKUqIwDQYJKoZIhvcNAQEEBQAwgaExCzAJBgNVBAYTAkRFMRow
GAYDVQQHExFELTc2MjI3IEthcmxzcnVoZTESMBAGA1UEChMJV0VCLkRFIEFHMRcwFQYDVQQL
Ew5UcnVzdENlbnRlciBDQTEsMCoGA1UEAxMjV0VCLkRFIFRydXN0Q2VudGVyIFZvbGwtWmVy
dGlmaWthdGUxGzAZBgkqhkiG9w0BCQEWDHRydXN0QHdlYi5kZTAeFw0wMDA0MTQwMDAwMDBa
Fw0wMTA0MTMyMjAwMDBaMG4xCzAJBgNVBAYTAkRFMSMwIQYDVQQHExpELTE3NDI0IFNlZWJh
ZCBIZXJpbmdzZG9yZjEWMBQGA1UEAxMNSGVucnlrIFBsb2V0ejEiMCAGCSqGSIb3DQEJARYT
SGVucnlrUGxvZXR6QGdteC5kZTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyKWPnw+R
dN2Rv0E8aHsgu/QScCbmfy08bhN+G1q+CwoJ/FTK37VbzyEJ9WIyNls+9G6MPKmNkTdeEUpJ
jWeodNWl5SWeu4xPSsOSraZ8uW42s+7aCdrTqo/aeUMpN5h+XlWGZ52ZK0Fmm2mRs4gcma1h
joIKeHkGSy0LAsGM6rECAwEAAaOCAfwwggH4MCwGCWCGSAGG+EIBBAQfFh1odHRwczovL3Ry
dXN0LndlYi5kZS9ydkNBLz9zPTAjBglghkgBhvhCAQIEFhYUaHR0cHM6Ly90cnVzdC53ZWIu
ZGUwFgYJYIZIAYb4QgEDBAkWBy9ydi8/cz0wFgYJYIZIAYb4QgEHBAkWBy9ybi8/cz0wGgYJ
YIZIAYb4QgEIBA0WCy9IaWxmZS9BR0IvMBEGCWCGSAGG+EIBAQQEAwIAsDCCAUIGCWCGSAGG
+EIBDQSCATMWggEvRGFzIFRydXN0Q2VudGVyIHZvbiBXRUIuREUgLSBTaWNoZXJoZWl0IHp1
bSBOdWxsdGFyaWYKRGllIE51dHp1bmcgZGllc2VzIFplcnRpZmlrYXQgd2lyZCB2b24gZGVu
IEFsbGdlbWVpbmVuIEdlc2No5GZ0c2JlZGluZ3VuZ2VuIChBR0IpIC8gWmVydGlmaXppZXJ1
bmdzcmljaHRsaW5pZW4gZGVzIFdFQi5ERSBUcnVzdENlbnRlcnMgZ2VyZWdlbHQuCiBEaWUg
QUdCcyBzaW5kIGF1ZiBkZW0gV2Vic2VydmVyIGRlcyBXRUIuREUgVHJ1c3RDZW50ZXJzIHVu
dGVyIGh0dHA6Ly90cnVzdC53ZWIuZGUvSGlsZmUvQUdCIGVpbnNlaGJhci4KMA0GCSqGSIb3
DQEBBAUAA4IBAQCF93w83OaowGn/BNwOsh4+a5qQxcfhuFnBt1bZ82gW+uxWX8a7m13zX8li
HlKe8rKXo4UUsS9T/Avf3OVomHZfMGpjQrVkROmUAJDm7CmnpjMk+Cdv9uovivUjLmAEilI+
VOlUmxVYEMQv6eQ61ybB/g/eXXgP5gFsVW6bsBWd9+aCiChWjb8O29yZMLGHjSyWYWtlzpc7
jGC6Zbn8atHWO7qjmKmR1BnjMGHyd2Z35yEl/PJrrBODaCFsbj217DPVCDjRyyenE7GzfwRP
ex5/fO2oZoU8Xu0ZWhu+A/HSOeRzCRt/cIK6ajZW1VOOtq0fXaKJ1F6wIn+aMo38BvndMIIH
PTCCBSWgAwIBAgIBAzANBgkqhkiG9w0BAQQFADCBjTELMAkGA1UEBhMCREUxGjAYBgNVBAcT
EUQtNzYyMjcgS2FybHNydWhlMRIwEAYDVQQKEwlXRUIuREUgQUcxFDASBgNVBAsTC1RydXN0
Q2VudGVyMRswGQYDVQQDExJXRUIuREUgVHJ1c3RDZW50ZXIxGzAZBgkqhkiG9w0BCQEWDHRy
dXN0QHdlYi5kZTAeFw05OTA2MjMxMTQ3MzFaFw0wNDA2MjExMTQ3MzFaMIGhMQswCQYDVQQG
EwJERTEaMBgGA1UEBxMRRC03NjIyNyBLYXJsc3J1aGUxEjAQBgNVBAoTCVdFQi5ERSBBRzEX
MBUGA1UECxMOVHJ1c3RDZW50ZXIgQ0ExLDAqBgNVBAMTI1dFQi5ERSBUcnVzdENlbnRlciBW
b2xsLVplcnRpZmlrYXRlMRswGQYJKoZIhvcNAQkBFgx0cnVzdEB3ZWIuZGUwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC1WPl9sfwilDIStSPe0Owy8seLKYdQ3yhrqDKdEfPU
zr48XwG6tgzeztYKbQ2R+UYMt/CHwDpzmahLZShUYhMH2nigK4IH4XY1MsdWW2CZnc852iZE
duTfB8LoS+BiHshctUHui+psafwNgrKBv4kfFhXNecoWa0CWFPvP6f6XIT0vE5IwB69vpbQS
xk13HJ10dtySAUlI+kHOEHTCl9/PF38euR57kGm9wMGdyNWgysBmG4DK6Bk0tbbFBfGkR+QQ
B6SuyobVKfWUr8X2sXCLhxw+LIju+Snd0pDpvWvzjxpg4h+oWCUf4ZPtEN8xIOGw1UHjdWAb
sIYLblLfEXtFAgMBAAGjggKQMIICjDAsBglghkgBhvhCAQQEHxYdaHR0cHM6Ly90cnVzdC53
ZWIuZGUvcnZDQS8/cz0wIwYJYIZIAYb4QgECBBYWFGh0dHBzOi8vdHJ1c3Qud2ViLmRlMBYG
CWCGSAGG+EIBAwQJFgcvcnYvP3M9MBYGCWCGSAGG+EIBBwQJFgcvcm4vP3M9MBoGCWCGSAGG
+EIBCAQNFgsvSGlsZmUvQUdCLzARBglghkgBhvhCAQEEBAMCAAcwDAYDVR0TBAUwAwEB/zBJ
BgNVHSAEQjBAMD4GC2CGSAGG+EUBBwEBMC8wLQYIKwYBBQUHAgEWIWh0dHA6Ly90cnVzdC53
ZWIuZGUvSGlsZmUvUG9saWN5LzCCAUoGCWCGSAGG+EIBDQSCATsWggE3VHJ1c3RDZW50ZXIg
dm9uIFdFQi5ERSAtIFplcnRpZmlrYXQgZvxyIGRpZSBBdXNnYWJlIHZvbiBWb2xsLVplcnRp
ZmlrYXRlbgoKRGllIE51dHp1bmcgZGllc2VzIFplcnRpZmlrYXRlcyB3aXJkIHZvbiBkZW4g
QWxsZ2VtZWluZW4gR2VzY2jkZnRzYmVkaW5ndW5nZW4gKEFHQikgLyBaZXJ0aWZpemllcnVu
Z3NyaWNodGxpbmllbiBkZXMgV0VCLkRFIFRydXN0Q2VudGVycyBnZXJlZ2VsdC4KRGllIEFH
QnMgdW5kIFplcnRpZml6aWVydW5nc3JpY2h0bGluaWVuIHNpbmQgdW50ZXIgaHR0cDovL3Ry
dXN0LndlYi5kZS9IaWxmZS8gZWluc2VoYmFyLgowMQYDVR0fBCowKDAmoCSgIoYgaHR0cDov
L3RydXN0LndlYi5kZS9jcmwvY2EwMS5jcmwwDQYJKoZIhvcNAQEEBQADggIBABHxqND17r0C
adCRrGQaLc7tHcFhnOdillrJ7QSI9pwKV3E7V9nPwKVyLTGnQvKJsiEtduPnF34CfGhqBNxY
BJHcm2nyCvsUOI0Hyx685YiAPjl5EZGjIEQxxfrYlepyhuG/+QkLN8grPWD5ZkTPUQHB4cyS
V8eU4lHADgBVznPzcsLVnipae/ZimJ2lBlCtyDB+halzxVArzrnckDkCNUMN+cpZuMzlAOkv
yOIZg8j/Nz0n1EeHouBcKtNDdWEvdhTE51CSijz2I7hZrQEeQhAw2O1m2fTWNfV1VOTflG7+
oJ3V0KSQoIyTO7p0wr+3jWR0GAptPUga7KtnrB8mHHCTQSqMTDc8Tzv7Qi5dlhMYIV1tmEGe
+IoqwU+MIpTh3BVL6Vk9Ck2lWh2hbBQShfi/ZpZzJXspJ0SUh74BimUo2I71v4ZV9TdgXu8n
gvxoQBNogz2saeCJTdtiJ++HCZ3tRF+/b4cazbFJHqUBW2R0U7p+8JrRB4As1zZNdVUdGpoI
odl43Kva8+XjpLrQ2icntZVgp+wwtnvkGh3o/HsNN3RrHDYb7HijQKpOBhxMYfe17bOdRpN/
wi4+QJoogAPpCYksE7FVnZoq4q0Mc709LTiWC5cfCCs9oRCTDl5IqEtfRtDu76Fs6jBPeetr
WRptp4+xmqCur41AasXcroECMYICBDCCAgACAQEwgakwgaExCzAJBgNVBAYTAkRFMRowGAYD
VQQHExFELTc2MjI3IEthcmxzcnVoZTESMBAGA1UEChMJV0VCLkRFIEFHMRcwFQYDVQQLEw5U
cnVzdENlbnRlciBDQTEsMCoGA1UEAxMjV0VCLkRFIFRydXN0Q2VudGVyIFZvbGwtWmVydGlm
aWthdGUxGzAZBgkqhkiG9w0BCQEWDHRydXN0QHdlYi5kZQIDClKiMAkGBSsOAwIaBQCggbEw
GAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNMDEwMTIzMTMzMDEz
WjAjBgkqhkiG9w0BCQQxFgQUlQvu099jYPpADI8o0Nx/TkBaRDUwUgYJKoZIhvcNAQkPMUUw
QzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwBwYFKw4DAgcwDQYIKoZIhvcNAwICAUAw
DQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEgYDArIILhg1JHiUlUJl8CN/88NwsEiwJ
2OXkYuyneG2mTt6KicVGco9yjaEgGUGa9nn6M92TaHJ5pldPqWY9crm9EUcOfKQsTTLVO6Uk
kP2lcxmp+1zZ6aS/6/MhO0HRR0bWH/QusG4GFghc+0Op8aamw7ugF6kA1SZrU1KMu61G/A==
--------------msDAA5FE3AD6352A04165FDFA4--
