1995-09-21 - Re: netscape bug

Header Data

From: patrick@Verity.COM (Patrick Horgan)
To: vznuri@netcom.com
Message Hash: 9b0e8c812db6fdf658f49de333e9460805d889c622ad8182e9dd6b9028a28f6c
Message ID: <9509211634.AA18472@cantina.verity.com>
Reply To: N/A
UTC Datetime: 1995-09-21 16:38:36 UTC
Raw Date: Thu, 21 Sep 95 09:38:36 PDT

Raw message

From: patrick@Verity.COM (Patrick Horgan)
Date: Thu, 21 Sep 95 09:38:36 PDT
To: vznuri@netcom.com
Subject: Re: netscape bug
Message-ID: <9509211634.AA18472@cantina.verity.com>
MIME-Version: 1.0
Content-Type: text/plain


Vlad Nuri said (with some exerpting)

> 
> none of the articles mention that the cracker must have login access
> to the computer that the random numbers are generated on. is this true?
> does the code require knowledge of the PID etc. that can only be obtained
> by a login to the system that the netscape session is running on?

It's been noted on this list before that some programs give uid information
out...sendmail comes to mind...this GREATLY narrows the search for a pid.

> P.M. notes that anywhere there is a data-driven buffer overflow (which
> he suspects are all over netscape) he can get code to execute anything
> he wants. this reminds me of the
> Morris internet worm that ran exactly the same way. it used a
> bug in the finger demon that caused a string buffer overwrite
> (via strcpy, instead of strncpy) to execute customized code.
> 
> my question: I have not seen the specifics of how this works. does
> this require specialized knowledge of the native machine language on the 
> host machine? or is it just used to cause something like a core dump
> to get a command line or something like that?

It requires knowledge of how the stack is set up and of assembler for the
target.  Most people in computer science know at least one assembler and
could easily add enough of another to launch an attack like this.  I did
one once to attack one of my programs as an example for a class.  Please
don't overestimate the difficulty of this attack or underestimate the 
number of folks out there that are qualified to launch it.  It's just that
most of us would rather be writing constructive code:)

Patrick
   _______________________________________________________________________
  /  These opinions are mine, and not Verity's (except by coincidence;).  \
 |                                                       (\                |
 |  Patrick J. Horgan         Verity Inc.                 \\    Have       |
 |  patrick@verity.com        1550 Plymouth Street         \\  _ Sword     | 
 |  Phone : (415)960-7600     Mountain View                 \\/    Will    | 
 |  FAX   : (415)960-7750     California 94303             _/\\     Travel | 
  \___________________________________________________________\)__________/





Thread