1995-09-26 - Re: WSJ on Netscape Hole 3
Header Data
From: Matthew James Sheppard <Matthew.Sheppard@Comp.VUW.AC.NZ>
To: cypherpunks@toad.com
Message Hash: 24c3a90da5bd494d526480281e8712a6a257cf6bee444db1910145d0ac8c630c
Message ID: <199509260102.NAA09663@bats.comp.vuw.ac.nz>
Reply To: <199509252300.QAA29812@infinity.c2.org>
UTC Datetime: 1995-09-26 13:29:22 UTC
Raw Date: Tue, 26 Sep 95 06:29:22 PDT
Raw message
From: Matthew James Sheppard <Matthew.Sheppard@Comp.VUW.AC.NZ>
Date: Tue, 26 Sep 95 06:29:22 PDT
To: cypherpunks@toad.com
Subject: Re: WSJ on Netscape Hole 3
In-Reply-To: <199509252300.QAA29812@infinity.c2.org>
Message-ID: <199509260102.NAA09663@bats.comp.vuw.ac.nz>
MIME-Version: 1.0
Content-Type: text/plain
The shadowy figure took form and announced "I am sameer and I say ...
> > On Mon, 25 Sep 1995, John Young wrote:
> >
> > > The Wall Street Journal, September 25, 1995, p. B12.
> >
> > > Marc Andreessen, vice president of technology at Netscape,
> > > said the company will issue fixes for the recent glitches
> > > later this week. He added that it's unclear whether
> > > anything other than temporarily crashing a user's computer
> > > could result trom the recent flaw.
> >
> > Oh Marc, you didn't really want to say that, did you?
> >
> > -Thomas
>
> He's -asking- for an exploit. Tshirts to Ray and the person who
> does the exploit, if it gets written. Maybe I should just ring up 8lgm and
> have them do one.
It isn't simple, you need to know the absolute address of where the
supplied code will be and alter the return address on the stack to
that address.
With NCSA HTTPD 1.3 and with fingerd (re internet worm) the stack was
always in a known state when the buffer overwrite occurred, thus the
absolute address of attacking code is static and placed at the correct
stack location.
With Netscape 1.1 the state of the stack is much more dynamic, in
particular the user can be viewing documents at an arbitary depth in
the "web tree", each recursion will increase the stack pointer (or
decrease with some architectures) There is no way of knowing for
certain where you code will end up and thus no way to reliably alter
the return address on the stack to execute your arbitary code.
You could always gamble on popular states, like when the first url
fetched by the browser. Also you could direct execution to any
routine in the netscape binary (with unknown arguments) . The most
detrimental offhand would be deleting the bookmarks file (whoopee) And
with Netscape 2 comming RSN I wouldn't waste too much time.
--
<URL:http://www.comp.vuw.ac.nz/~matt>
|~ |~
|~ o| o|
('< o|
,',)
''<<
---""---
Thread
Return to September 1995
- Return to “Matthew James Sheppard <Matthew.Sheppard@Comp.VUW.AC.NZ>”
- Return to “Ray Cromwell <rjc@clark.net>”
Return to “sameer <sameer@c2.org>”
- Unknown thread root
- 1995-09-25 (Mon, 25 Sep 95 16:06:25 PDT) - Re: WSJ on Netscape Hole 3 - sameer <sameer@c2.org>
- 1995-09-26 (Tue, 26 Sep 95 06:29:22 PDT) - Re: WSJ on Netscape Hole 3 - Matthew James Sheppard <Matthew.Sheppard@Comp.VUW.AC.NZ>
- 1995-09-27 (Wed, 27 Sep 95 02:21:27 PDT) - Re: WSJ on Netscape Hole 3 - Ray Cromwell <rjc@clark.net>
- 1995-09-26 (Tue, 26 Sep 95 06:29:22 PDT) - Re: WSJ on Netscape Hole 3 - Matthew James Sheppard <Matthew.Sheppard@Comp.VUW.AC.NZ>
- 1995-09-25 (Mon, 25 Sep 95 16:06:25 PDT) - Re: WSJ on Netscape Hole 3 - sameer <sameer@c2.org>