Netscape Problems.

[zen-parse <zen-parse () gmx net>]

In a message on Bugtraq, Last Stage of Delirium wrote:
(http://msgs.securepoint.com/cgi-bin/get/bugtraq0211/255.html)

> We can understand why there was no response from Netscape since the
> three[1][3][4] vulnerabilities affecting Netscape web browser were
> submitted to the Netscape Bug Bounty program which entitles 1000 USD for
> a security bug in Netscape Communicator to its founder. Netscape seems
> to be another American company that does not seem to be fulfilling
> public obligations made through company's web pages
> (http://home.netscape.com/security/bugbounty.html). While we were
> waiting for Netscape's reponse to our vulnerability report, Netscape
> changed(!)  Reward Guidelines of the Bug Bounty program so that now only
> bugs in Netscape 7.x are rewarded (previously both latest 6.x and 4.8
> versions were taken into account). Nice move, huh ?

You might want to see the September 13 email reference below, and then
maybe you could still hold some hope out. Maybe. A little. Or something.)



This email was written on Tuesday 26 November, 6.55pm NZDT.

As of this time, I have yet to recieve any confirmation that I would be 
getting any of the offered Bug Bounty. I have been informed I am eligble, 
however, 

bash-2.04$ egrep '^From: bugzilla-daemon () mozilla org$' mail/Bugz|wc -l
90
bash-2.04$

90 Messages related to the following bugs dated between

List of bugs and bugzilla.mozilla.org bug names:

PNG1       - 155222 - width integer overflow
PNG2       - ?????? - alpha size integer overflow
JAR1       - 157646 - Incorrect uncompressed size causes heap corruption
Javascript - 157652 - sort() and size integer overflow
GIF        - 157989 - 0 width GIF

Another bug not mentioned.

And I can't remember if I have told them about the integer overflow in the 
pop3 mail handler,

mozilla/mailnews/local/src/nsPop3Protocol.cpp:
...
         PR_CALLOC(sizeof(Pop3MsgInfo) * m_pop3ConData->number_of_messages);
...

where m_pop3ConData->number_of_messages is a server supplied value, and
sizeof(Pop3MsgInfo) is 8.

How would this be exploitable? Well, if someone offered free email with
POP3 access, there would be at least some people who would take advantage
of it. A malicious server could then potentially take over the running
instance of Netscape/Mozilla.

(gdb) print/u 8 * 536870912 
$1 = 0
(gdb) 

If I told them about this, I never saw any email about it afterwards.
(I believe this is similar to:

http://online.securityfocus.com/bid/3164/discussion/

but I haven't looked at that bug, so I may be wrong.)


Netscape story
==============

Fixes:

 PNG1 & PNG2 were fixed with one extra check in 1.0.1/1.1

 JAR1 is/will be fixed in Mozilla 1.2(beta?)

 Javascript potentially exploitable problem was fixed, however not shown 
 to be definately exploitable, however that does not mean it definately is. 
 (Look at the source and see if you can work out how to. Need to 'guess' 
 where the sort is going to place things and need to cause the offsets it
 moves to be the places you need them to be.) (fixed 1.0.1/1.1)

 GIF has had exploit method released, fixed in Mozilla 1.0.1 and 1.1, I 
 believe. The shellcode may be helpful. (The shellcode is not optimal, but 
 at least it tends to work in a threaded environment.) (fixed 1.0.1/1.1(?))


Interesting parts of communications regarding these bugs.

[Please note: some dates below may be approximate due to timezone
differences in the headers. Sorry.]

June 29
=======
Completed writeup of heap corruption in Netscape and Mozilla, via PNG.

June 30
=======
Reported PNG via Netscape Security Bug form.

July 1
======
Bug added to bugzilla.mozilla.org

[Bug 155222] Heap corruption in PNG library
http://bugzilla.mozilla.org/show_bug.cgi?id=155222

July 7
======
Notified Microsoft of potential problem in Javascript sort() method.
(Netscape was notified on the same day, I believe.)

July 9
======
Microsoft replies with regard to Javascript.

July 13 
======= 
Microsoft closes off on JS bug. Patch becomes available eventually, as 
threat was not seen as high by Microsoft.

+++++++

Netscape informed of second PNG bug/exploit method.

== Sent ==
 Date: Sat, 13 Jul 2002 04:04:56 +1200 (NZST)
 From: zen-parse <zen-parse () gmx net>
 To: Mitchell Stoltz <mstoltz () netscape com>
 Subject: exploitable heap corruption via PNG Alpha data

(Different section of code, however, similar root cause.)

July 17
=======
Fix checked into 1.0.1 tree for bug 155222. (Initial PNG bug.)
Notified Netscape for GIF zero width bug vuln.

August 5
========
[An update for 155222]
------ Additional Comments From randeg () alum rpi edu  2002-08-05 06:16 -------
Since this bug was discussed publicly in the libpng mailing lists
and is described and fixed publicly in libpng-1.2.4/1.0.14,
perhaps it can be made a "public" Mozilla bug.

August 10
=========
Emailed Mitchell Stoltz <mstoltz () netscape com> with regards to resolution
time for other PNG bug and jar bugs.

August 12
=========
[Bug 157646] Possible heap corruption in libjar
http://bugzilla.mozilla.org/show_bug.cgi?id=157646

Added to CC list for bug. 

August 27
=========

Another bug reported, but not listed here. An exploitable bug in part of a
security check. More info later.

August 29
=========
[Bug 157989] Possible heap corruption with 0-width GIF
http://bugzilla.mozilla.org/show_bug.cgi?id=157989
[Bug 157652] Crash, possible heap corruption in JS Array.prototype.sort
http://bugzilla.mozilla.org/show_bug.cgi?id=157652

Added to CC list for bugs.

September 6
===========
Released details of Netscape/Mozilla/other browsers 0-width GIF bug.

== Sent ==
 Date: Fri, 6 Sep 2002 18:47:51 +1200 (NZST)
 From: zen-parse <zen-parse () gmx net>
 To: vuln-dev () securityfocus com, full-disclosure () lists netsys com,
      bugtraq () securityfocus com
 Subject: zero-width gif: exploit PoC for NS6.2.3 (fixed in 7.0) [Was: 
          GIFs Good, Flash Executable Bad]
==
September 13
============
Queried about elegibility for Bug Bounty.

== Sent ==
 Date: Fri, 13 Sep 2002 23:54:58 +1200 (NZST)
 From: zen-parse <zen-parse () gmx net>
 To: Mitchell Stoltz <mstoltz () netscape com>
 Subject: Query regarding Bug Bounty Program

(re: http://wp.netscape.com/security/bugbounty.html )

Which of the bugs I have submitted would qualify for this?

At the time reported the version required was 6.x, and the .jar problems 
are still exploitable (by a slightly different method) in the latest 7.x 
version.
==

== Reply ==
All of the bugs you have sent us potentially qualify, since you sent 
them to us before we released Netscape 7 and they affected the most 
current version at the time (6.2). At this point, I'm still trying to 
determine how serious the impact of some of your bugs are - I'll let you 
know soon about the bounty award.
        Regards,
            Mitch
==

October 15
==========
30 days pass with no news on bug bounty. 

== Sent ==
 Date: Tue, 15 Oct 2002 04:43:30 +1300 (NZDT)
 From: zen-parse <zen-parse () gmx net>
 To: Mitchell Stoltz <mstoltz () netscape com>
 Subject: Re: Query regarding Bug Bounty Program

On Fri, 13 Sep 2002, Mitchell Stoltz wrote:

> All of the bugs you have sent us potentially qualify, since you sent 
> them to us before we released Netscape 7 and they affected the most 
> current version at the time (6.2). At this point, I'm still trying to 
> determine how serious the impact of some of your bugs are - I'll let you 
> know soon about the bounty award.
>         Regards,
>             Mitch

Do you have a time frame for when this will be happening?

==

Received a reply the same day:
== Reply ==
Within the next few weeks. I'm actively working on that.
        -Mitch

==

November 13
===========
Almost another month passes before I decide to prompt some more.

== Sent ==
 Date: Wed, 13 Nov 2002 05:35:52 +1300 (NZDT)
 From: zen-parse <zen-parse () gmx net>
 To: Mitchell Stoltz <mstoltz () netscape com>
 Subject: Re: Query regarding Bug Bounty Program

Just checking if there is any update in the timeframe, or if there is
anything information you need that might help with determining the impact
of the issues I reported?

-- zen-parse

On Mon, 14 Oct 2002, Mitchell Stoltz wrote:

> Within the next few weeks. I'm actively working on that.
>         -Mitch
==


November 15 
=========== 
Release vulnerability details on jar: handler. This bug now has been known
for 4 months without a fix being publicly available.

November 20
===========
Bugzilla mail tells me:


== Received ==
 Date: Wed, 20 Nov 2002 13:06:42 -0800 (PST)
 From: bugzilla-daemon () mozilla org
 To: neuro () es co nz
 Subject: (that bug i mentioned about in August 27.)



bsharma () netscape com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |VERIFIED
           Keywords|fixed1.0.2                  |verified1.0.2




------- Additional Comments From bsharma () netscape com  2002-11-20 13:06 -------
Verified on 2002-11-20-branch build on Linux. Loaded the attached test case and
the crash does not happen.The page shows up with the line streaks.

==

Looks like it is finally fixed.


November 21
===========
No reply received yet regarding money.

== Sent ==
 Date: Thu, 21 Nov 2002 15:52:35 +1300 (NZDT)
 From: zen-parse <zen-parse () gmx net>
 To: Mitchell Stoltz <mstoltz () netscape com>
 Subject: Re: Query regarding Bug Bounty Program (fwd)

Hello? Anyone there?

==


-- zen-parse

In case people haven't noticed yet, Open Source is not more secure.

-- 
-------------------------------------------------------------------------
1) If this message was posted to a public forum by zen-parse () gmx net, it 
may be redistributed without modification. 
2) In any other case the contents of this message is confidential and not 
to be distributed in any form without express permission from the author.



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html