Spent too much time last night playing with the Netscape bug; among other things wrote some code to throw various random binary URLs at Netscape. Netscape seems prepared to swallow the bait as long as the URL does _not_ contain characters screened as follows:
if ((c != '"') && (c!='>') && (c!=0) && (c!='/') ) {
This means you can't plant 0x00, 0x22, 0x3e or 0x2f.
Did you check 0x20 and 0xa0? (space and shift-space) I'm sure that a space will terminate the href in <a>. I've been playing around with Netscape today and I achieved two things. First, I've isolated a routine very near to where it crashes (if I set a breakpoint in GDB, it only hits the breakpoint when a domain is looked up by any method) Secondly, even without disassembly I've been able to place an exact value in the PC register (0x61616161). Now, all that's left is to 1) find out where the stack pointer is, 2) make the PC point to some area near the stack pointer, and 3) create some code which does a syscall on execve with "xterm" as the argument, with the restriction that it cannot contain any of the above illegal codes. #3 is the hardest for me since I've never done assembly under BSDI but I assume it's some sort of trap call I need to do. Once all that is done, just package it up into a URL and you are set to wreak havoc. If someone else exploits the hole before I do, I would urge you not to reveal the exact implementation to any mailing lists for the simple reason that even a benign exploitation can be easily modified to be dangerous. Security through obscurity, I know, but think about it. Once you have the URL, anyone can exploit the bug by pasting it into their home page. And with the way the net works, this would probably seem "cool" to most people and it would spread like wildfire. If you don't reveal the implementation, then perhaps that will buy enough time for most users to upgrade to Netscape 2.0 before crackers start exploiting it. [this bug is far more dangerous than the RNG bug or the 40-bit crypto] -Ray