1995-09-29 - Re: Ray Cromwell: Another Netscape Bug (and possible security (fwd)
Header Data
From: sameer <sameer@c2.org>
To: cypherpunks@toad.com
Message Hash: e7c8b0f221f8c22491b2776c4e576f278c46379359acddbd0611ce46f12a0e5e
Message ID: <199509290559.WAA24563@infinity.c2.org>
Reply To: N/A
UTC Datetime: 1995-09-29 06:04:10 UTC
Raw Date: Thu, 28 Sep 95 23:04:10 PDT
Raw message
From: sameer <sameer@c2.org>
Date: Thu, 28 Sep 95 23:04:10 PDT
To: cypherpunks@toad.com
Subject: Re: Ray Cromwell: Another Netscape Bug (and possible security (fwd)
Message-ID: <199509290559.WAA24563@infinity.c2.org>
MIME-Version: 1.0
Content-Type: text/plain
Forwarded message:
From owner-bugtraq@crimelab.com Thu Sep 28 19:58:59 1995
Approved-By: CHASIN@CRIMELAB.COM
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Approved-By: Neil Woods <neil@LEGLESS.DEMON.CO.UK>
Message-ID: <199509280324.EAA19959@legless.demon.co.uk>
Date: Thu, 28 Sep 1995 04:24:06 +0100
Reply-To: Bugtraq List <BUGTRAQ@crimelab.com>
Sender: Bugtraq List <BUGTRAQ@crimelab.com>
From: Neil Woods <neil@legless.demon.co.uk>
Subject: Re: Ray Cromwell: Another Netscape Bug (and possible security
X-To: BUGTRAQ@CRIMELAB.COM
X-cc: 8lgm@bagpuss.demon.co.uk
To: Multiple recipients of list BUGTRAQ <BUGTRAQ@crimelab.com>
In-Reply-To: <199509260045.OAA12377@hookomo.aloha.net> from "Timothy Newsham"
at Sep 25, 95 02:45:26 pm
>
> > >On my BSDI2.0 machine running Netscape 1.1N, this causes a segmentation
> > >fault and subsequent coredump. GDB reports nothing useable (stripped
> > >executable)
> >
> > I cannot reproduce this bug on the following platforms:
> >
> > Solaris 2.5 beta/Netscape 1.1N
>
> I've reproduced it fine under sol2.4 1.1N. The page
> I tested from is http://www.aloha.net/~newsham/test.html.
> Simply click on the long test url and core dump.
> (You can view source before clicking to see what you
> are clicking on if you dont trust me :)
>
> > Howard Owen hbo@octel.com Octel Communications Corporation 1024/DC671C31 =
>
Ive tried this url, it does indeed core dump.
Just had a quick look at the core. From first impressions, it's a global
overwrite. Therefore we're not overwriting a flushed stack frame, so a
syslog(3) style exploit is impossible.
Global overwrites can be exploited, but due to the scenario we're looking
at, I'd consider exploit chances to be very low indeed.
Cheers,
Neil
--
Let the Mystery Be, So Watcha Want, Longing In Their Hearts, Hate My Way,
M-Bike, Safari, Uncle June and Aunt Kiyoti, Daisy Dead Petals, Tuff Gnarl.
...like a badger with an afro throwing sparklers at the Pope...
--
sameer Voice: 510-601-9777
Community ConneXion FAX: 510-601-9734
An Internet Privacy Provider Dialin: 510-658-6376
http://www.c2.org (or login as "guest") sameer@c2.org
Thread
Return to September 1995
- Return to “Ray Cromwell <rjc@clark.net>”
Return to “sameer <sameer@c2.org>”
- 1995-09-29 (Thu, 28 Sep 95 23:04:10 PDT) - Re: Ray Cromwell: Another Netscape Bug (and possible security (fwd) - sameer <sameer@c2.org>
- 1995-09-30 (Sat, 30 Sep 95 08:57:58 PDT) - Re: Ray Cromwell: Another Netscape Bug (and possible security (fwd) - Ray Cromwell <rjc@clark.net>