1995-09-30 - Re: Ray Cromwell: Another Netscape Bug (and possible security (fwd)

Header Data

From: Ray Cromwell <rjc@clark.net>
To: sameer@c2.org (sameer)
Message Hash: aa244ea0bfc906d65bee80a395a606f6c8918317b9560e02627e85525c35ae66
Message ID: <199509301557.LAA03540@clark.net>
Reply To: <199509290559.WAA24563@infinity.c2.org>
UTC Datetime: 1995-09-30 15:57:58 UTC
Raw Date: Sat, 30 Sep 95 08:57:58 PDT

Raw message

From: Ray Cromwell <rjc@clark.net>
Date: Sat, 30 Sep 95 08:57:58 PDT
To: sameer@c2.org (sameer)
Subject: Re: Ray Cromwell: Another Netscape Bug (and possible security (fwd)
In-Reply-To: <199509290559.WAA24563@infinity.c2.org>
Message-ID: <199509301557.LAA03540@clark.net>
MIME-Version: 1.0
Content-Type: text/plain


> 
> Forwarded message:
> From owner-bugtraq@crimelab.com  Thu Sep 28 19:58:59 1995
> Approved-By: CHASIN@CRIMELAB.COM
> X-Mailer: ELM [version 2.4 PL23]
> Content-Type: text
> Approved-By:  Neil Woods <neil@LEGLESS.DEMON.CO.UK>
> Message-ID:  <199509280324.EAA19959@legless.demon.co.uk>
> Date:         Thu, 28 Sep 1995 04:24:06 +0100
> Reply-To: Bugtraq List <BUGTRAQ@crimelab.com>
> Sender: Bugtraq List <BUGTRAQ@crimelab.com>
> From: Neil Woods <neil@legless.demon.co.uk>
> Subject:      Re: Ray Cromwell: Another Netscape Bug (and possible security
> X-To:         BUGTRAQ@CRIMELAB.COM
> X-cc:         8lgm@bagpuss.demon.co.uk
> To: Multiple recipients of list BUGTRAQ <BUGTRAQ@crimelab.com>
> In-Reply-To:  <199509260045.OAA12377@hookomo.aloha.net> from "Timothy Newsham"
>               at Sep 25, 95 02:45:26 pm
> 
> >
> > > >On my BSDI2.0 machine running Netscape 1.1N, this causes a segmentation
> > > >fault and subsequent coredump. GDB reports nothing useable (stripped
> > > >executable)
> > >
> > >   I cannot reproduce this bug on the following platforms:
> > >
> > >         Solaris 2.5 beta/Netscape 1.1N
> >
> > I've reproduced it fine under sol2.4 1.1N.  The page
> > I tested from is http://www.aloha.net/~newsham/test.html.
> > Simply click on the long test url and core dump.
> > (You can view source before clicking to see what you
> > are clicking on if you dont trust me :)
> >
> > > Howard Owen hbo@octel.com   Octel Communications Corporation  1024/DC671C31 =
> >
> 
> Ive tried this url, it does indeed core dump.
> 
> Just had a quick look at the core.  From first impressions, it's a global
> overwrite.  Therefore we're not overwriting a flushed stack frame, so a
> syslog(3) style exploit is impossible.
> 
> Global overwrites can be exploited, but due to the scenario we're looking
> at, I'd consider exploit chances to be very low indeed.

   Its not a global overwrite on my system. It is very definately a stack
frame overwrite. Ive already put code ony my stack using a URL
so I know its a stack problem.





Thread