netscape bug

Patrick Horgan patrick at Verity.COM
Thu Sep 21 09:38:36 PDT 1995 

Vlad Nuri said (with some exerpting)

> 
> none of the articles mention that the cracker must have login access
> to the computer that the random numbers are generated on. is this true?
> does the code require knowledge of the PID etc. that can only be obtained
> by a login to the system that the netscape session is running on?

It's been noted on this list before that some programs give uid information
out...sendmail comes to mind...this GREATLY narrows the search for a pid.

> P.M. notes that anywhere there is a data-driven buffer overflow (which
> he suspects are all over netscape) he can get code to execute anything
> he wants. this reminds me of the
> Morris internet worm that ran exactly the same way. it used a
> bug in the finger demon that caused a string buffer overwrite
> (via strcpy, instead of strncpy) to execute customized code.
> 
> my question: I have not seen the specifics of how this works. does
> this require specialized knowledge of the native machine language on the 
> host machine? or is it just used to cause something like a core dump
> to get a command line or something like that?

It requires knowledge of how the stack is set up and of assembler for the
target.  Most people in computer science know at least one assembler and
could easily add enough of another to launch an attack like this.  I did
one once to attack one of my programs as an example for a class.  Please
don't overestimate the difficulty of this attack or underestimate the 
number of folks out there that are qualified to launch it.  It's just that
most of us would rather be writing constructive code:)

Patrick
   _______________________________________________________________________
  /  These opinions are mine, and not Verity's (except by coincidence;).  \
 |                                                       (\                |
 |  Patrick J. Horgan         Verity Inc.                 \\    Have       |
 |  patrick at verity.com        1550 Plymouth Street         \\  _ Sword     | 
 |  Phone : (415)960-7600     Mountain View                 \\/    Will    | 
 |  FAX   : (415)960-7750     California 94303             _/\\     Travel | 
  \___________________________________________________________\)__________/

More information about the cypherpunks-legacy mailing list