Bugtraq mailing list archives
Netscape 4.x buffer overflow
From: vision () WHITEHATS COM (Max Vision)
Date: Mon, 18 Oct 1999 17:46:26 -0700
I have found a buffer overflow in Netscape Communicator probably affecting all versions. The problem occurs when Communicator attempts to load any dynamic font where the length field is shorter than the font data area. I have tested this on 4.61 and 4.7 under Windows. Netscape has been notified of the problem and expect a fix for 4.8. As the problem manifests during the loading of a dynamic font, and portion of the font data that exceeds the specified size of the font triggers the problem. Thus, the potential for widespread DoS attacks via email. I suspect, but have not pursued, the possibility of exploiting the overflow to execute arbitrary code. [ Note: I originally submitted this issue to bugtraq October 8th, but it was not posted. The above two paragraphs are *exactly* the same as another accepted post "Netscape 4.x buffer overflow" except I replaced "key length" with "dynamic fonts" and it is equally valid. For more information and a sample exploit see http://www.whitehats.com/browsers/maxvisioncrash47/index.html ] Max Vision On Fri, 15 Oct 1999, Michael Breuer wrote:
I have found a buffer overflow in Netscape Communicator probably affecting all versions. The problem occurs when Communicator attempts to validate any key where the key length is > 2k. I have tested this on 4.61 and 4.7, unix (Irix) and Windows. Netscape has been notified of the problem and expect a fix for 4.8. As the problem manifests during the check of the key, any portion of the key chain which has a key > 2k triggers the problem. Thus, the potential for widespread DoS attacks via email. I suspect, but have not pursued, the possibility of exploiting the overflow to execute arbitrary code. -- Michael Breuer mbreuer () siac com
Current thread:
- PAM applications running as root (Was Re: WebTrends Enterprise Reporting Server) Darren Moffat (Oct 14)
- Re: PAM applications running as root (Was Re: WebTrends Enterprise Alan Cox (Oct 15)
- OpenLink 3.2 Advisory Tymm Twillman (Oct 15)
- execve bug linux-2.2.12 ben () VALINUX COM (Oct 15)
- Netscape 4.x buffer overflow Michael Breuer (Oct 15)
- Netscape 4.x buffer overflow Max Vision (Oct 18)
- Re: execve bug linux-2.2.12 Perly (Oct 15)
- Re: execve bug linux-2.2.12 visi0n (Oct 15)
- Re: execve bug linux-2.2.12 Alan Cox (Oct 16)
- Re: execve bug linux-2.2.12 ben () VALINUX COM (Oct 16)
- Re: execve bug linux-2.2.12 Matt Chapman (Oct 18)
- Re: execve bug linux-2.2.12 Taneli Huuskonen (Oct 19)
- Re: execve bug linux-2.2.12 Alan Cox (Oct 20)
- Microsoft Security Bulletin (MS99-044) Aleph One (Oct 20)
- Re: execve bug linux-2.2.12 Timo Felbinger (Oct 20)
- CERT Advisory CA-99.13 - Multiple Vulnerabilities in WU-FTPD Aleph One (Oct 20)
- Netscape 4.x buffer overflow Michael Breuer (Oct 15)