Interesting People mailing list archives
IP: Holes in the Web
From: David Farber <farber () central cis upenn edu>
Date: Wed, 27 Sep 1995 04:39:41 -0400
From: Timothy Finin <finin () cs umbc edu> Date: Tue, 26 Sep 1995 22:43:23 -0400 To: farber () central cis upenn edu cc: sherman () cs umbc edu Dave -- I was surprised to see that this latest security problem was discovered by one of our students at UMBC -- and an undergrad at that! He has been working with Alan Sherman on crypto and security stuff since last Spring. Tim _________________________________________________________________________ From: rcromw1 () umbc edu (Ray Cromwell) Subject: Re: Netscape Found to Have Another Security Flaw Date: 26 Sep 1995 20:43:43 -0400 What Jared didn't mention is that the bug also affects Mosaic, Arena, and IBM WebExplorer. I announced the bug Friday night on Cypherpunks, and immediately it was confirmed to work on Mac, Windows, SGI, HPUX, and 386 unix versions of Netscape 1.1N. Arena and Mosaic were found to have the same bug an hour or so later, and WebExplorer was confirmed today. I'm willing to bet the bug is also in AOL's TurboWeb and Netcom's NetCruiser. Ironically, I was arguing against the possibly of a buffer overflow bug being in Netscape due to them using C++. I figured they'd be using a safe string class. To check my assertion, I fired up Netscape and 5 minutes later I found the bug. My rationality was that the programmers would think "no one would ever have a domain name that long" and hence would use fixed sized buffers. This is a major security hole. The bugs in SSL and the Random number generator are minor since they don't affect you unless you buy something on the Web. Using this bug, a hacker could cause code to be executed on your system, for instance, performing an "rm -rf" on your home directory. Here's something I posted today because I didn't see much talk of it on the internet outside of cypherpunks Article 41909 of sci.crypt: Path: news.clark.net!news.clark.net!not-for-mail From: rjc () clark net (Ray Cromwell) Newsgroups: comp.infosystems.www.misc,sci.crypt,alt.security Subject: Web Browser Bugs (security hole, be aware) Date: 26 Sep 1995 19:59:51 -0400 Organization: Clark Internet Services, Inc. Lines: 32 Message-ID: <44a45n$ago () clark net> NNTP-Posting-Host: clark.net Mime-Version: 1.0 Content-Type: TEXT/PLAIN; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Xref: news.clark.net comp.infosystems.www.misc:38377 sci.crypt:41909 alt.security:29214 Last Friday I discovered a buffer overflow bug in Netscape which allows overlong URLs (long domain names) to overflow a buffer and put garbage on the process stack. [see article in the WSJ and NYT] Since then, other cypherpunks have verified that this bug exists in Mosaic and IBM's WebExplorer. If you are the author of a Web Browser, please check your code for potential buffer overflows in the URL processing section. Especially any code that assumes a fixed sized domain name! Although an exploit hasn't been produced yet, personally I have been able to modify the PC register on my machine using a special URL. All that's needed is to add some assembly code, and arbitrary instructions can be executed on anyone's browser that executes that URL. In fact, it can hit you without even seeing it. If it was just a hyperlink in a document, you could look at it before you click on it and see that it is malformed. However, a server could just as easily return a malformed dangerous URL via server redirection, and you'd never see it coming. If a working exploit is possible, this is a significant security hole. Imagine clicking on a URL and having it erase all your files, or infect you with a virus, or steal company information right through your firewall. The reason I am posting this, is because I haven't seen any alerts about it on other mailing lists or security groups. - -Ray - -- "Engineering is the implementation of science; Politics is the implementation of faith." - Zetetic Commentaries Ray Cromwell <rcromw1 () gl umbc edu> (http://www.gl.umbc.edu/~rcromw1/) ------- end -------
Current thread:
- IP: Holes in the Web David Farber (Sep 27)