1995-09-20 - Re: netscape bug

Header Data

From: “Perry E. Metzger” <perry@piermont.com>
To: “Vladimir Z. Nuri” <vznuri@netcom.com>
Message Hash: 722569a587a9eabdfc60b2c2382a50143d42dfd6e33bfa209b0ca9eae6051f91
Message ID: <199509202002.QAA05425@frankenstein.piermont.com>
Reply To: <199509201855.LAA17261@netcom16.netcom.com>
UTC Datetime: 1995-09-20 20:04:05 UTC
Raw Date: Wed, 20 Sep 95 13:04:05 PDT

Raw message

From: "Perry E. Metzger" <perry@piermont.com>
Date: Wed, 20 Sep 95 13:04:05 PDT
To: "Vladimir Z. Nuri" <vznuri@netcom.com>
Subject: Re: netscape bug
In-Reply-To: <199509201855.LAA17261@netcom16.netcom.com>
Message-ID: <199509202002.QAA05425@frankenstein.piermont.com>
MIME-Version: 1.0
Content-Type: text/plain



"Vladimir Z. Nuri" writes:
> none of the articles mention that the cracker must have login access
> to the computer that the random numbers are generated on. is this true?
> does the code require knowledge of the PID etc. that can only be obtained
> by a login to the system that the netscape session is running on?

You can guess the PID without much trouble -- they are 15 bit numbers.

> P.M. notes that anywhere there is a data-driven buffer overflow (which
> he suspects are all over netscape) he can get code to execute anything
> he wants. this reminds me of the
> Morris internet worm that ran exactly the same way.

That was one of the first wide exploits of the trick, yes.

> my question: I have not seen the specifics of how this works. does
> this require specialized knowledge of the native machine language on the 
> host machine?

Yes. However, its very straightforward to do.

The recent syslog(3) problem was of this nature, by the way.

Perry





Thread