1995-09-22 - Re: Another Netscape Bug (and possible security hole)

Header Data

From: “Perry E. Metzger” <perry@piermont.com>
To: Ray Cromwell <rjc@clark.net>
Message Hash: 1a8d729dfda00dca3b63dcf28b5f679a1bfdb44928beafb085afef2a7e84ffd2
Message ID: <199509221224.IAA03734@frankenstein.piermont.com>
Reply To: <199509220612.CAA11441@clark.net>
UTC Datetime: 1995-09-22 12:25:00 UTC
Raw Date: Fri, 22 Sep 95 05:25:00 PDT

Raw message

From: "Perry E. Metzger" <perry@piermont.com>
Date: Fri, 22 Sep 95 05:25:00 PDT
To: Ray Cromwell <rjc@clark.net>
Subject: Re: Another Netscape Bug (and possible security hole)
In-Reply-To: <199509220612.CAA11441@clark.net>
Message-ID: <199509221224.IAA03734@frankenstein.piermont.com>
MIME-Version: 1.0
Content-Type: text/plain



Ray;

This is evidence that, as I said, they have plenty of buffer overflow
bugs. So much for the protestations to the contrary.

My suspicion is that if you used a customized HTTPd that allowed you
to shove arbitrary data into your URL, you could get the victim's copy
of netscape to fandango on the stack and do nicely arbitrary things to
the victim -- like executing "cd ~/; rm -rf ."

A "Hack Netscape" T-Shirt for the first person (Ray, here is your
chance!) to find an exploit using this! Though your demo shouldn't do
anything bad. Does everyone think Ray should get a shirt no matter what?

Perry

Ray Cromwell writes:
> 
> I've found a Netscape bug which I suspect is a buffer overflow and
> may have the potential for serious damage. If it is an overflow bug,
> then it may be possible to infect every computer which accesses a web
> page with Netscape. To see the bug, create an html file containing
> the following:
> 
> <a href="http://foo.bar.foo[rest of giant URL elided]
> 
> On my BSDI2.0 machine running Netscape 1.1N, this causes a segmentation
> fault and subsequent coredump. GDB reports nothing useable (stripped
> executable)
> 
> As you can see, I just chose an extremely long domain name. I guessed
> that the authors of netscape probably thought something like "well,
> a buffer size of 256 characters is good enough to hold any domain"
> 
> It's definately the domain that's causing it, and not the length of
> the URL or the data after the domain name.
>  
> I also tried to overflow some netscape servers using similar techniques
> (and shell metacharacters in all sorts of URLs), to no avail. I suspect
> a similar attack may work against the Netscape Server if it is proxying.
> 
> 
> Does anyone have a disassembly of Netscape, or more specifically, 
> a disassembly of the URL parse and domain lookup routines? I'd be
> happy to collaborate and "Hack Netscape" ;-)
> 
> 
> Happy Hacking,
> -Ray
>  
> 
> 
> 
> 

Thread

Return to September 1995
Return to “David Lesher <wb8foz@nrk.com>”
Return to “Duncan Frissell <frissell@panix.com>”
Return to “futplex@pseudonym.com (Futplex)”
Return to “heesen@zpr.uni-koeln.de (Rainer Heesen)”
Return to “jsw@neon.netscape.com (Jeff Weinstein)”
Return to “Laurent Demailly <dl@hplyot.obspm.fr>”
Return to ““Perry E. Metzger” <perry@piermont.com>”
Return to “Ray Cromwell <rjc@clark.net>”
Return to “sameer <sameer@c2.org>”
1995-09-22 (Thu, 21 Sep 95 23:12:30 PDT) - Another Netscape Bug (and possible security hole) - Ray Cromwell <rjc@clark.net>
- 1995-09-22 (Thu, 21 Sep 95 23:52:42 PDT) - Re: Another Netscape Bug (and possible security hole) - futplex@pseudonym.com (Futplex)
  - 1995-09-22 (Fri, 22 Sep 95 00:15:47 PDT) - Re: Another Netscape Bug (and possible security hole) - Ray Cromwell <rjc@clark.net>
    - 1995-09-22 (Fri, 22 Sep 95 01:14:47 PDT) - Re: Another Netscape Bug (and possible security hole) - futplex@pseudonym.com (Futplex)
      - 1995-09-22 (Fri, 22 Sep 95 01:30:13 PDT) - YET ANOTHER BAD NETSCAPE HOLE! - Ray Cromwell <rjc@clark.net>
        1995-09-22 (Fri, 22 Sep 95 01:37:09 PDT) - Re: YET ANOTHER BAD NETSCAPE HOLE! - Ray Cromwell <rjc@clark.net>
        1995-09-22 (Fri, 22 Sep 95 01:50:22 PDT) - Re: YET ANOTHER BAD NETSCAPE HOLE! - futplex@pseudonym.com (Futplex)
        1995-09-22 (Fri, 22 Sep 95 02:46:54 PDT) - Re: YET ANOTHER BAD NETSCAPE HOLE! - heesen@zpr.uni-koeln.de (Rainer Heesen)
        1995-09-22 (Fri, 22 Sep 95 02:29:06 PDT) - Re: YET ANOTHER BAD NETSCAPE HOLE! - jsw@neon.netscape.com (Jeff Weinstein)
        1995-09-22 (Fri, 22 Sep 95 02:36:12 PDT) - Re: YET ANOTHER BAD NETSCAPE HOLE! - Ray Cromwell <rjc@clark.net>
        1995-09-22 (Fri, 22 Sep 95 05:48:01 PDT) - Re: YET ANOTHER BAD NETSCAPE HOLE! - “Perry E. Metzger” <perry@piermont.com>
      - 1995-09-26 (Tue, 26 Sep 95 05:58:03 PDT) - Re: Another Netscape Bug (and possible security hole) - David Lesher <wb8foz@nrk.com>
    - 1995-09-22 (Fri, 22 Sep 95 05:36:15 PDT) - Re: Another Netscape Bug (and possible security hole) - “Perry E. Metzger” <perry@piermont.com>
      - 1995-09-22 (Fri, 22 Sep 95 07:39:36 PDT) - Re: Another Netscape Bug (and possible security hole) - sameer <sameer@c2.org>
      - 1995-09-22 (Fri, 22 Sep 95 10:14:04 PDT) - Re: Another Netscape Bug (and possible security hole) - Ray Cromwell <rjc@clark.net>
        1995-09-22 (Fri, 22 Sep 95 11:28:44 PDT) - Re: Another Netscape Bug (and possible security hole) - sameer <sameer@c2.org>
      - 1995-09-25 (Mon, 25 Sep 95 13:47:57 PDT) - Re: Another Netscape Bug (and possible security hole) - Laurent Demailly <dl@hplyot.obspm.fr>
        1995-09-26 (Tue, 26 Sep 95 05:02:10 PDT) - Re: Another Netscape Bug (and possible security hole) - Duncan Frissell <frissell@panix.com>
- 1995-09-22 (Fri, 22 Sep 95 00:34:29 PDT) - Re: Another Netscape Bug (and possible security hole) - jsw@neon.netscape.com (Jeff Weinstein)
- 1995-09-22 (Fri, 22 Sep 95 03:15:46 PDT) - Re: Another Netscape Bug (and possible security hole) - Laurent Demailly <dl@hplyot.obspm.fr>
- 1995-09-22 (Fri, 22 Sep 95 05:25:00 PDT) - Re: Another Netscape Bug (and possible security hole) - “Perry E. Metzger” <perry@piermont.com>

cryptoanarchy.wiki

1995-09-22 - Re: Another Netscape Bug (and possible security hole)

Header Data

Raw message

Thread