From: sameer <sameer@c2.org>
To: rjc@clark.net (Ray Cromwell)
Message Hash: 35bdaf8dee5e39c2c403e23a278a529f4396d63a5ccc7c243b5748c6679cf7f0
Message ID: <199509221823.LAA19265@infinity.c2.org>
Reply To: <199509221713.NAA11980@clark.net>
UTC Datetime: 1995-09-22 18:28:44 UTC
Raw Date: Fri, 22 Sep 95 11:28:44 PDT
From: sameer <sameer@c2.org>
Date: Fri, 22 Sep 95 11:28:44 PDT
To: rjc@clark.net (Ray Cromwell)
Subject: Re: Another Netscape Bug (and possible security hole)
In-Reply-To: <199509221713.NAA11980@clark.net>
Message-ID: <199509221823.LAA19265@infinity.c2.org>
MIME-Version: 1.0
Content-Type: text/plain
Suggestion: Once you figure out how to exploit it for a
particular platform write a cgi-script which checks the USER_AGENT (or
whatever it is called) environment variable to make sure the netscape
that has reached your exploit is the same platform as the exploit was
written for.
>
> Perry writes:
> > > These buffer overflow bugs should be taught in every programming
> > > 101 course along with fencepost errors.
> > >
> > > I'm not even sure if I want to write the obligatory program to exploit
> > > the hack given that some malicious jerk would probably use it
> > > on his home page to attack people.
> >
> > The problem is that if you don't produce a (benign) exploit people
> > aren't going to take it seriously enough.
>
> Yeah, I guessed that. I'll work on it, I have a few doubts I have
> to research first. For instance, how to embed code in the domain that
> 1) server/client processing won't "cook" and 2) contains no isolated
> zero bytes which would null terminate the string.
>
> My current idea is to look in Netscape for an "exec" routine,
> and call it passing a "/bin/csh" to it.
>
> Irregardless, it's a nasty bug given that you can crash anyone's
> netscape. And on Mac/Win3.1, it may even require a reboot.
>
> -Ray
>
>
>
>
>
>
>
>
--
sameer Voice: 510-601-9777
Community ConneXion FAX: 510-601-9734
An Internet Privacy Provider Dialin: 510-658-6376
http://www.c2.org (or login as "guest") sameer@c2.org
Return to September 1995
Return to “sameer <sameer@c2.org>”