Re: Ray Cromwell: Another Netscape Bug (and possible security

[neil () legless demon co uk (Neil Woods)]

> > > On my BSDI2.0 machine running Netscape 1.1N, this causes a segmentation
> > > fault and subsequent coredump. GDB reports nothing useable (stripped
> > > executable)
> >
> >   I cannot reproduce this bug on the following platforms:
> >
> >         Solaris 2.5 beta/Netscape 1.1N
>
> I've reproduced it fine under sol2.4 1.1N.  The page
> I tested from is http://www.aloha.net/~newsham/test.html.
> Simply click on the long test url and core dump.
> (You can view source before clicking to see what you
> are clicking on if you dont trust me :)
>
> > Howard Owen hbo () octel com   Octel Communications Corporation  1024/DC671C31 =

Further investigation shows this is indeed a stack overwrite.  However due
to the window restore/save mechanism of the sparc, we're not able
to overwrite the return address for this function.  However, it may
be possible to overwrite a return address from a previously flushed
frame (this is architecture specific).

The core dump obtained from this url, is due to passing two local pointers
which have been overwritten.  In order to progress further, these would
need to point to valid addresses.  Normally, these point to global or static
buffers containing http:... strings.

I hope this helps those who are developing exploits.

Cheers,

Neil
--
Let the Mystery Be, So Watcha Want, Longing In Their Hearts, Hate My Way,
M-Bike, Safari, Uncle June and Aunt Kiyoti, Daisy Dead Petals, Tuff Gnarl.

     ...like a badger with an afro throwing sparklers at the Pope...