Vulnerability Development mailing list archives
Buffer Overflows in Netscape6
From: Anders Ingeborn <ingeborn () IXSECURITY COM>
Date: Thu, 25 Jan 2001 13:25:47 +0100
iXsecurity, Stockholm, january 2001 Summary There are at least three buffer overflow vulnerabilities in Netscape6 (verified with version 6.0 on Win2k and Win98). We cannot currently use any of them to execute code on the system. But if someone finds a way to do that, they are really dangerous! The only thing needed is to make a victim follow a link, which is really simple (e.g. spoofed e-mail with a 'good' link from a 'friend' etc.) Details The buffer overflows occur when Netscape6 is processing certain links of lengths around 500-1000 characters. They cause access violations on different MOV-instructions (REP MOVSD etc.) using registers EAX, ECX, ESI and EDI, which have been previously overwritten. It might be possible to exploit these unchecked buffers if the registers are overwritten in such a way that the program does not crash until a RET (set to valid memory addresses for r/w etc). We have not been able to spend enough time to research this fully yet, but this is what Vuln-Dev is for, right? If you do -- please let us know. Buffer Overflow #1 occurs when a link of more than 996 digits is followed (i.e. http://996x'1'). Netscape seems to assume this to be an IP-adress. The violation is at 0x60c2cb38. If the link is over 996 digits there are access violations on three other places (0x60650e4a, 0x60650e19 and 0x78001648). MOV- or AND-instructions. Buffer Overflow #2 occurs when a domain name link of 511 characters (or mixed characters/digits) is followed (i.e. www.511x'a'.com). Buffer Overflow #3 did only occur once during our test. Netscape6 was trying to parse the link as a Ipv6 address and convert it to Ipv4 address and did crasch in a function named somethin like ipv6toipv4. Anders Ingeborn <ingeborn () ixsecurity com> Technical Security Consultant iXsecurity Stockholm, Sweden
Current thread:
- Buffer Overflows in Netscape6 Anders Ingeborn (Jan 25)
- Re: Buffer Overflows in Netscape6 Robert van der Meulen (Jan 25)