Vulnerability Development mailing list archives
Re: Buffer Overflows in Netscape6
From: cruxpot <cruxpot () RUNBOX COM>
Date: Tue, 6 Feb 2001 02:27:05 -0600
Had the same results on Win2k Pro SP1, Netscape 6. I tested the first 2 buffer overflow scenarios (need more info on the 3rd). No crashes, just URL not found error on the first (with 996, 998, and 2000 characters), and nonexisting domain for the second (www."a" x 511.com). ----- Original Message ----- From: "Robert van der Meulen" <rvdm () CISTRON NL> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Thursday, January 25, 2001 11:46 AM Subject: Re: Buffer Overflows in Netscape6
Hi, Just for the record, i tried these with mozilla on a Debian system: <rvdm@Forty-Two:~> dpkg -l | grep mozilla ii mozilla M18-3 An Open Source WWW browser for X and
GTK+
<rvdm@Forty-Two:~> Quoting Anders Ingeborn (ingeborn () IXSECURITY COM):Buffer Overflow #1 occurs when a link of more than 996 digits is
followed
(i.e. http://996x'1'). Netscape seems to assume this to be an IP-adress. The violation is at 0x60c2cb38. If the link is over 996 digits there are access violations on three other places (0x60650e4a, 0x60650e19 and 0x78001648). MOV- or AND-instructions.No crash, usual error dialog. (Error loading URL)Buffer Overflow #2 occurs when a domain name link of 511 characters (or mixed characters/digits) is followed (i.e. www.511x'a'.com).Same thing - no crash, error dialog.Buffer Overflow #3 did only occur once during our test. Netscape6 was trying to parse the link as a Ipv6 address and convert it to Ipv4
address
and did crasch in a function named somethin like ipv6toipv4.Could you explain what the link looked like, and the situation where it
did
and didn't work ? I tested mozilla on both problems with a 'fresh' browser, and after
loading
some other ('short') url's as well. Greets, Robert -- Linux Generation If you can't learn to do it well, learn to enjoy doing it badly.
Current thread:
- Re: Buffer Overflows in Netscape6 cruxpot (Feb 06)