From: Ray Cromwell <rjc@clark.net>
To: cman@communities.com (Douglas Barnes)
Message Hash: ec77f9421560f4a2f42e60a548e56371b29e11665242c4dbdb045e9ddb5d2cc9
Message ID: <199509222018.QAA11163@clark.net>
Reply To: <v02120d01ac88cf556dd4@[199.2.22.120]>
UTC Datetime: 1995-09-22 20:19:13 UTC
Raw Date: Fri, 22 Sep 95 13:19:13 PDT
From: Ray Cromwell <rjc@clark.net>
Date: Fri, 22 Sep 95 13:19:13 PDT
To: cman@communities.com (Douglas Barnes)
Subject: Re: Another Netscape Bug (and possible security hole)
In-Reply-To: <v02120d01ac88cf556dd4@[199.2.22.120]>
Message-ID: <199509222018.QAA11163@clark.net>
MIME-Version: 1.0
Content-Type: text/plain
>
>
> Spent too much time last night playing with the Netscape bug;
> among other things wrote some code to throw various random binary
> URLs at Netscape. Netscape seems prepared to swallow the bait
> as long as the URL does _not_ contain characters screened as
> follows:
>
> if ((c != '"') && (c!='>') && (c!=0) && (c!='/') ) {
>
> This means you can't plant 0x00, 0x22, 0x3e or 0x2f.
Did you check 0x20 and 0xa0? (space and shift-space) I'm sure
that a space will terminate the href in <a>.
I've been playing around with Netscape today and I achieved two
things. First, I've isolated a routine very near to where it crashes
(if I set a breakpoint in GDB, it only hits the breakpoint when a domain
is looked up by any method) Secondly, even without disassembly I've been
able to place an exact value in the PC register (0x61616161). Now,
all that's left is to 1) find out where the stack pointer is,
2) make the PC point to some area near the stack pointer, and 3)
create some code which does a syscall on execve with "xterm" as
the argument, with the restriction that it cannot contain any of the
above illegal codes. #3 is the hardest for me since I've never done
assembly under BSDI but I assume it's some sort of trap call I need
to do.
Once all that is done, just package it up into a URL and you are set
to wreak havoc.
If someone else exploits the hole before I do, I would urge you not to
reveal the exact implementation to any mailing lists for the simple
reason that even a benign exploitation can be easily modified to be
dangerous. Security through obscurity, I know, but think about it.
Once you have the URL, anyone can exploit the bug by pasting it into
their home page. And with the way the net works, this would probably
seem "cool" to most people and it would spread like wildfire. If
you don't reveal the implementation, then perhaps that will buy enough
time for most users to upgrade to Netscape 2.0 before crackers start
exploiting it.
[this bug is far more dangerous than the RNG bug or the 40-bit crypto]
-Ray
Return to September 1995
Return to “sameer <sameer@c2.org>”