Forwarded message: From owner-bugtraq@crimelab.com Thu Sep 28 19:58:59 1995 Approved-By: CHASIN@CRIMELAB.COM X-Mailer: ELM [version 2.4 PL23] Content-Type: text Approved-By: Neil Woods <neil@LEGLESS.DEMON.CO.UK> Message-ID: <199509280324.EAA19959@legless.demon.co.uk> Date: Thu, 28 Sep 1995 04:24:06 +0100 Reply-To: Bugtraq List <BUGTRAQ@crimelab.com> Sender: Bugtraq List <BUGTRAQ@crimelab.com> From: Neil Woods <neil@legless.demon.co.uk> Subject: Re: Ray Cromwell: Another Netscape Bug (and possible security X-To: BUGTRAQ@CRIMELAB.COM X-cc: 8lgm@bagpuss.demon.co.uk To: Multiple recipients of list BUGTRAQ <BUGTRAQ@crimelab.com> In-Reply-To: <199509260045.OAA12377@hookomo.aloha.net> from "Timothy Newsham" at Sep 25, 95 02:45:26 pm
On my BSDI2.0 machine running Netscape 1.1N, this causes a segmentation fault and subsequent coredump. GDB reports nothing useable (stripped executable)
I cannot reproduce this bug on the following platforms:
Solaris 2.5 beta/Netscape 1.1N
I've reproduced it fine under sol2.4 1.1N. The page I tested from is http://www.aloha.net/~newsham/test.html. Simply click on the long test url and core dump. (You can view source before clicking to see what you are clicking on if you dont trust me :)
Howard Owen hbo@octel.com Octel Communications Corporation 1024/DC671C31 =
Ive tried this url, it does indeed core dump.
Just had a quick look at the core. From first impressions, it's a global overwrite. Therefore we're not overwriting a flushed stack frame, so a syslog(3) style exploit is impossible.
Global overwrites can be exploited, but due to the scenario we're looking at, I'd consider exploit chances to be very low indeed.
Its not a global overwrite on my system. It is very definately a stack frame overwrite. Ive already put code ony my stack using a URL so I know its a stack problem.