Re: Another Netscape Bug (and possible security hole)
Spent too much time last night playing with the Netscape bug; among other things wrote some code to throw various random binary URLs at Netscape. Netscape seems prepared to swallow the bait as long as the URL does _not_ contain characters screened as follows: if ((c != '"') && (c!='>') && (c!=0) && (c!='/') ) { This means you can't plant 0x00, 0x22, 0x3e or 0x2f. Anything else can be made to show up in various registers after things go blooey. I've only made it segfault in different places so far, still working on getting it to do something it wouldn't ordinarily do and not crash before it does it. [Working under Solaris 2.4; I may try my luck on Macs, since this bug crashes the whole OS... need to load up debug tools first though.] Hope this helps others... Doug
Spent too much time last night playing with the Netscape bug; among other things wrote some code to throw various random binary URLs at Netscape. Netscape seems prepared to swallow the bait as long as the URL does _not_ contain characters screened as follows:
if ((c != '"') && (c!='>') && (c!=0) && (c!='/') ) {
This means you can't plant 0x00, 0x22, 0x3e or 0x2f.
Did you check 0x20 and 0xa0? (space and shift-space) I'm sure that a space will terminate the href in <a>. I've been playing around with Netscape today and I achieved two things. First, I've isolated a routine very near to where it crashes (if I set a breakpoint in GDB, it only hits the breakpoint when a domain is looked up by any method) Secondly, even without disassembly I've been able to place an exact value in the PC register (0x61616161). Now, all that's left is to 1) find out where the stack pointer is, 2) make the PC point to some area near the stack pointer, and 3) create some code which does a syscall on execve with "xterm" as the argument, with the restriction that it cannot contain any of the above illegal codes. #3 is the hardest for me since I've never done assembly under BSDI but I assume it's some sort of trap call I need to do. Once all that is done, just package it up into a URL and you are set to wreak havoc. If someone else exploits the hole before I do, I would urge you not to reveal the exact implementation to any mailing lists for the simple reason that even a benign exploitation can be easily modified to be dangerous. Security through obscurity, I know, but think about it. Once you have the URL, anyone can exploit the bug by pasting it into their home page. And with the way the net works, this would probably seem "cool" to most people and it would spread like wildfire. If you don't reveal the implementation, then perhaps that will buy enough time for most users to upgrade to Netscape 2.0 before crackers start exploiting it. [this bug is far more dangerous than the RNG bug or the 40-bit crypto] -Ray
Douglas Barnes writes:
Spent too much time last night playing with the Netscape bug; among other things wrote some code to throw various random binary URLs at Netscape. Netscape seems prepared to swallow the bait as long as the URL does _not_ contain characters screened as follows: if ((c != '"') && (c!='>') && (c!=0) && (c!='/') ) { This means you can't plant 0x00, 0x22, 0x3e or 0x2f.
No, you *can* put 0x22, 0x3e and 0x2f by using respectively " > and / html constructs (&#nnn; nn decimal ascii code) unfortunatly � is not recognized but you can probaly use any number substracted by itself or even short lda#0 (depending on the cpu),...if you need a zero,...(what for ?) I hope this helps too, btw, anywone having contacts on the 8lgm folks? they must have experience with that kind of stuff... Uptodate infos kept on http://hplyot.obspm.fr/~dl/netscapesec/ It seems the anim is working on about every netscape around, except one folk on linux that reported it didn't crash though someone else, on linux too said it crashed... Even if a patch should be availble now, making a demonstration is still interesting IMO [specially when you know that there are still ppl around using netscape 0.9x beta, and even ppl 'selling' it in ISP access packages!...] dl -- Laurent Demailly * http://hplyot.obspm.fr/~dl/ * Linux|PGP|Gnu|Tcl|... Freedom Prime#1: cent cinq mille cent cinq milliards cent cinq mille cent soixante sept Qaddafi ammunition radar Legion of Doom KGB Khaddafi Croatian
No, you *can* put 0x22, 0x3e and 0x2f by using respectively " > and / html constructs (&#nnn; nn decimal ascii code) unfortunatly � is not recognized but you can probaly use any number substracted by itself or even short lda#0 (depending on the cpu),...if you need a zero,...(what for ?)
Oh that's great.. netscape might -not- be doing the conversion before it crashes though.. worth a shot to check though, without a doubt.
I hope this helps too, btw, anywone having contacts on the 8lgm folks? they must have experience with that kind of stuff...
Karl told me that it's their policy only to do exploits for bugs they have found themselves.
Even if a patch should be availble now, making a demonstration is still interesting IMO [specially when you know that there are still ppl around using netscape 0.9x beta, and even ppl 'selling' it in ISP access packages!...]
Look at http://www.c2.org/ with an unpatched netscape. Hopefully other sites will do similar things. -- sameer Voice: 510-601-9777 Community ConneXion FAX: 510-601-9734 An Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org (or login as "guest") sameer@c2.org
participants (4)
-
cman@communities.com -
Laurent Demailly -
Ray Cromwell -
sameer