IP: Holes in the Web

[David Farber <farber () central cis upenn edu>]

From: Timothy Finin <finin () cs umbc edu>
Date: Tue, 26 Sep 1995 22:43:23 -0400
To: farber () central cis upenn edu
cc: sherman () cs umbc edu




Dave -- I was surprised to see that this latest security problem was
discovered by one of our students at UMBC -- and an undergrad at that!
He has been working with Alan Sherman on crypto and security stuff
since last Spring.  Tim
_________________________________________________________________________




From: rcromw1 () umbc edu (Ray Cromwell)
Subject: Re: Netscape Found to Have Another Security Flaw
Date: 26 Sep 1995 20:43:43 -0400


  What Jared didn't mention is that the bug also affects Mosaic,
Arena, and IBM WebExplorer. I announced the bug Friday night on
Cypherpunks, and immediately it was confirmed to work on
Mac, Windows, SGI, HPUX, and 386 unix versions of Netscape 1.1N.
Arena and Mosaic were found to have the same bug an hour or so
later, and WebExplorer was confirmed today. I'm willing to bet
the bug is also in AOL's TurboWeb and Netcom's NetCruiser.


  Ironically, I was arguing against the possibly of a buffer overflow
bug being in Netscape due to them using C++. I figured they'd be
using a safe string class. To check my assertion, I fired up Netscape
and 5 minutes later I found the bug. My rationality was that
the programmers would think "no one would ever have a domain name
that long"  and hence would use fixed sized buffers.


  This is a major security hole. The bugs in SSL and the Random
number generator are minor since they don't affect you unless
you buy something on the Web. Using this bug, a hacker could
cause code to be executed on your system, for instance,
performing an "rm -rf" on your home directory.




Here's something I posted today because I didn't see much talk of it on
the internet outside of cypherpunks




Article 41909 of sci.crypt:
Path: news.clark.net!news.clark.net!not-for-mail
From: rjc () clark net (Ray Cromwell)
Newsgroups: comp.infosystems.www.misc,sci.crypt,alt.security
Subject: Web Browser Bugs (security hole, be aware)
Date: 26 Sep 1995 19:59:51 -0400
Organization: Clark Internet Services, Inc.
Lines: 32
Message-ID: <44a45n$ago () clark net>
NNTP-Posting-Host: clark.net
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Xref: news.clark.net comp.infosystems.www.misc:38377
sci.crypt:41909 alt.security:29214


  Last Friday I discovered a buffer overflow bug in Netscape which
allows overlong URLs (long domain names) to overflow a buffer
and put garbage on the process stack. [see article in the WSJ and NYT]
Since then, other cypherpunks have verified that this bug exists in
Mosaic and IBM's WebExplorer.


  If you are the author of a Web Browser, please check your code for
potential buffer overflows in the URL processing section. Especially
any code that assumes a fixed sized domain name!


  Although an exploit hasn't been produced yet, personally I have been
able to modify the PC register on my machine using a special URL. All
that's needed is to add some assembly code, and arbitrary instructions
can be executed on anyone's browser that executes that URL.


  In fact, it can hit you without even seeing it. If it was just a hyperlink
in a document, you could look at it before you click on it and see
that it is malformed. However, a server could just as easily return
a malformed dangerous URL via server redirection, and you'd never see
it coming.


  If a working exploit is possible, this is a significant security hole.
Imagine clicking on a URL and having it erase all your files, or
infect you with a virus, or steal company information right through
your firewall.




  The reason I am posting this, is because I haven't seen any alerts
about it on other mailing lists or security groups.


- -Ray




















- --
"Engineering is the implementation of science;
 Politics is the implementation of faith." - Zetetic Commentaries
Ray Cromwell <rcromw1 () gl umbc edu> (http://www.gl.umbc.edu/~rcromw1/)


------- end -------