Buffer Overflows in Netscape6

[Anders Ingeborn <ingeborn () IXSECURITY COM>]

iXsecurity, Stockholm, january 2001

Summary

There are at least three buffer overflow vulnerabilities in Netscape6
(verified with version 6.0 on Win2k and Win98). We cannot currently
use any of them to execute code on the system. But if someone finds a
way to do that, they are really dangerous! The only thing needed is to
make a victim follow a link, which is really simple (e.g. spoofed e-mail
with a 'good' link from a 'friend' etc.)

Details

The buffer overflows occur when Netscape6 is processing certain links of
lengths around 500-1000 characters. They cause access violations on
different MOV-instructions (REP MOVSD etc.) using registers EAX, ECX,
ESI and EDI, which have been previously overwritten. It might be
possible to exploit these unchecked buffers if the registers are
overwritten in such a way that the program does not crash until a RET
(set to valid memory addresses for r/w etc). We have not been able to
spend enough time to research this fully yet, but this is what
Vuln-Dev is for, right? If you do -- please let us know.

Buffer Overflow  #1 occurs when a link of more than 996 digits is
followed (i.e. http://996x'1'). Netscape seems to assume this to be an
IP-adress. The violation is at 0x60c2cb38. If the link is over 996
digits there are access violations on three other places (0x60650e4a,
0x60650e19 and 0x78001648). MOV- or AND-instructions.

Buffer Overflow #2 occurs when a domain name link of 511 characters
(or mixed characters/digits) is followed (i.e. www.511x'a'.com).

Buffer Overflow #3 did only occur once during our test. Netscape6 was
trying to parse the link as a Ipv6 address and convert it to Ipv4
address and did crasch in a function named somethin like ipv6toipv4.


Anders Ingeborn <ingeborn () ixsecurity com>
Technical Security Consultant
iXsecurity
Stockholm, Sweden