Netscape 4.x buffer overflow

[vision () WHITEHATS COM (Max Vision)]

I have found a buffer overflow in Netscape Communicator probably affecting
all versions.  The problem occurs when Communicator attempts to load any
dynamic font where the length field is shorter than the font data area.  I
have tested this on 4.61 and 4.7 under Windows.  Netscape has been
notified of the problem and expect a fix for 4.8.

As the problem manifests during the loading of a dynamic font, and portion
of the font data that exceeds the specified size of the font triggers the
problem.  Thus, the potential for widespread DoS attacks via email.  I
suspect, but have not pursued, the possibility of exploiting the overflow
to execute arbitrary code.

[ Note: I originally submitted this issue to bugtraq October 8th, but it
was not posted.  The above two paragraphs are *exactly* the same as
another accepted post "Netscape 4.x buffer overflow" except I replaced
"key length" with "dynamic fonts" and it is equally valid.  For more
information and a sample exploit see
http://www.whitehats.com/browsers/maxvisioncrash47/index.html ]

Max Vision

On Fri, 15 Oct 1999, Michael Breuer wrote:
> I have found a buffer overflow in Netscape Communicator probably
> affecting all versions. The problem occurs when Communicator attempts
> to validate any key where the key length is > 2k.  I have tested this
> on 4.61 and 4.7, unix (Irix) and Windows.  Netscape has been notified
> of the problem and expect a fix for 4.8.
>
> As the problem manifests during the check of the key, any portion of
> the key chain which has a key > 2k triggers the problem.  Thus, the
> potential for widespread DoS attacks via email.  I suspect, but have
> not pursued, the possibility of exploiting the overflow to execute
> arbitrary code. -- Michael Breuer mbreuer () siac com