From: patrick@Verity.COM (Patrick Horgan)
To: vznuri@netcom.com
Message Hash: 9b0e8c812db6fdf658f49de333e9460805d889c622ad8182e9dd6b9028a28f6c
Message ID: <9509211634.AA18472@cantina.verity.com>
Reply To: N/A
UTC Datetime: 1995-09-21 16:38:36 UTC
Raw Date: Thu, 21 Sep 95 09:38:36 PDT
From: patrick@Verity.COM (Patrick Horgan)
Date: Thu, 21 Sep 95 09:38:36 PDT
To: vznuri@netcom.com
Subject: Re: netscape bug
Message-ID: <9509211634.AA18472@cantina.verity.com>
MIME-Version: 1.0
Content-Type: text/plain
Vlad Nuri said (with some exerpting)
>
> none of the articles mention that the cracker must have login access
> to the computer that the random numbers are generated on. is this true?
> does the code require knowledge of the PID etc. that can only be obtained
> by a login to the system that the netscape session is running on?
It's been noted on this list before that some programs give uid information
out...sendmail comes to mind...this GREATLY narrows the search for a pid.
> P.M. notes that anywhere there is a data-driven buffer overflow (which
> he suspects are all over netscape) he can get code to execute anything
> he wants. this reminds me of the
> Morris internet worm that ran exactly the same way. it used a
> bug in the finger demon that caused a string buffer overwrite
> (via strcpy, instead of strncpy) to execute customized code.
>
> my question: I have not seen the specifics of how this works. does
> this require specialized knowledge of the native machine language on the
> host machine? or is it just used to cause something like a core dump
> to get a command line or something like that?
It requires knowledge of how the stack is set up and of assembler for the
target. Most people in computer science know at least one assembler and
could easily add enough of another to launch an attack like this. I did
one once to attack one of my programs as an example for a class. Please
don't overestimate the difficulty of this attack or underestimate the
number of folks out there that are qualified to launch it. It's just that
most of us would rather be writing constructive code:)
Patrick
_______________________________________________________________________
/ These opinions are mine, and not Verity's (except by coincidence;). \
| (\ |
| Patrick J. Horgan Verity Inc. \\ Have |
| patrick@verity.com 1550 Plymouth Street \\ _ Sword |
| Phone : (415)960-7600 Mountain View \\/ Will |
| FAX : (415)960-7750 California 94303 _/\\ Travel |
\___________________________________________________________\)__________/
Return to September 1995
Return to “patrick@Verity.COM (Patrick Horgan)”
1995-09-21 (Thu, 21 Sep 95 09:38:36 PDT) - Re: netscape bug - patrick@Verity.COM (Patrick Horgan)