Re: Buffer Overflows in Netscape6

[cruxpot <cruxpot () RUNBOX COM>]

Had the same results on Win2k Pro SP1, Netscape 6. I tested the first 2
buffer overflow scenarios (need more info on the 3rd). No crashes, just URL
not found error on the first (with 996, 998, and 2000 characters), and
nonexisting domain for the second (www."a" x 511.com).

----- Original Message -----
From: "Robert van der Meulen" <rvdm () CISTRON NL>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Thursday, January 25, 2001 11:46 AM
Subject: Re: Buffer Overflows in Netscape6


> Hi,
>
> Just for the record, i tried these with mozilla on a Debian system:
> <rvdm@Forty-Two:~> dpkg -l | grep mozilla
> ii  mozilla        M18-3          An Open Source WWW browser for X and
GTK+
> <rvdm@Forty-Two:~>
>
> Quoting Anders Ingeborn (ingeborn () IXSECURITY COM):
> > Buffer Overflow  #1 occurs when a link of more than 996 digits is
followed
> > (i.e. http://996x'1&apos;). Netscape seems to assume this to be an IP-adress.
> > The violation is at 0x60c2cb38. If the link is over 996 digits there are
> > access violations on three other places (0x60650e4a, 0x60650e19 and
> > 0x78001648). MOV- or AND-instructions.
> No crash, usual error dialog. (Error loading URL)
>
> > Buffer Overflow #2 occurs when a domain name link of 511 characters (or
> > mixed characters/digits) is followed (i.e. www.511x'a'.com).
> Same thing - no crash, error dialog.
>
> > Buffer Overflow #3 did only occur once during our test. Netscape6 was
> > trying to parse the link as a Ipv6 address and convert it to Ipv4
address
> > and did crasch in a function named somethin like ipv6toipv4.
> Could you explain what the link looked like, and the situation where it
did
> and didn't work ?
>
> I tested mozilla on both problems with a 'fresh' browser, and after
loading
> some other ('short') url's as well.
>
> Greets,
> Robert
>
> --
>       Linux Generation
>       If you can't learn to do it well, learn to enjoy doing it badly.