[16953] in bugtraq
Netscape Navigator buffer overflow
daemon@ATHENA.MIT.EDU (Michal Zalewski)
Thu Sep 28 14:46:31 2000
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.21.0009281820380.27469-100000@dione.ids.pl>
Date: Thu, 28 Sep 2000 18:45:41 +0200
Reply-To: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
From: Michal Zalewski <lcamtuf@DIONE.IDS.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
Haven't seen bugreport on it, so I decided to publish this vulnerability.
In fact it's pretty old, but still unpublished: Netscape Navigator is
vulnerable to trivial, remote buffer overflow attack when viewing prepared
html:
<form action=something method=something>
<input type=password value=reallylongstring...>
...other form tags...
</form>
If buffer is reasonably long, Netscape crashes with SEGV while trying to
parse this tag (it happens around 16 kB of junk as value=) while calling
function XFE_GetFormElementInfo(). It is not a stack overflow, but, as
some pointers are overwritten, it seems to be exploitable. If someone has
free time and good will, could try - recall JPEG comment heap overflow.
Only type=password is vulnerable to this attack.
_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=
