Vlad Nuri said (with some exerpting)

none of the articles mention that the cracker must have login access to the computer that the random numbers are generated on. is this true? does the code require knowledge of the PID etc. that can only be obtained by a login to the system that the netscape session is running on?

It's been noted on this list before that some programs give uid information out...sendmail comes to mind...this GREATLY narrows the search for a pid.

P.M. notes that anywhere there is a data-driven buffer overflow (which he suspects are all over netscape) he can get code to execute anything he wants. this reminds me of the Morris internet worm that ran exactly the same way. it used a bug in the finger demon that caused a string buffer overwrite (via strcpy, instead of strncpy) to execute customized code.

my question: I have not seen the specifics of how this works. does this require specialized knowledge of the native machine language on the host machine? or is it just used to cause something like a core dump to get a command line or something like that?

It requires knowledge of how the stack is set up and of assembler for the target. Most people in computer science know at least one assembler and could easily add enough of another to launch an attack like this. I did one once to attack one of my programs as an example for a class. Please don't overestimate the difficulty of this attack or underestimate the number of folks out there that are qualified to launch it. It's just that most of us would rather be writing constructive code:) Patrick _______________________________________________________________________ / These opinions are mine, and not Verity's (except by coincidence;). \ | (\ | | Patrick J. Horgan Verity Inc. \\ Have | | patrick@verity.com 1550 Plymouth Street \\ _ Sword | | Phone : (415)960-7600 Mountain View \\/ Will | | FAX : (415)960-7750 California 94303 _/\\ Travel | \___________________________________________________________\)__________/