[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Ray Cromwell: Another Netscape Bug (and possible security (fwd)

To: [email protected]
Subject: Re: Ray Cromwell: Another Netscape Bug (and possible security (fwd)
From: sameer <[email protected]>
Date: Thu, 28 Sep 1995 22:58:58 -0700 (PDT)
Pgp-Strong-Print: 3C AE E4 00 C2 6A 81 FF 49 4E EE 0C CD CD 1D 80
Sender: [email protected]

Forwarded message:
From [email protected]  Thu Sep 28 19:58:59 1995
Approved-By: [email protected]
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Approved-By:  Neil Woods <[email protected]>
Message-ID:  <[email protected]>
Date:         Thu, 28 Sep 1995 04:24:06 +0100
Reply-To: Bugtraq List <[email protected]>
Sender: Bugtraq List <[email protected]>
From: Neil Woods <[email protected]>
Subject:      Re: Ray Cromwell: Another Netscape Bug (and possible security
X-To:         [email protected]
X-cc:         [email protected]
To: Multiple recipients of list BUGTRAQ <[email protected]>
In-Reply-To:  <[email protected]> from "Timothy Newsham"
              at Sep 25, 95 02:45:26 pm

>
> > >On my BSDI2.0 machine running Netscape 1.1N, this causes a segmentation
> > >fault and subsequent coredump. GDB reports nothing useable (stripped
> > >executable)
> >
> >   I cannot reproduce this bug on the following platforms:
> >
> >         Solaris 2.5 beta/Netscape 1.1N
>
> I've reproduced it fine under sol2.4 1.1N.  The page
> I tested from is http://www.aloha.net/~newsham/test.html.
> Simply click on the long test url and core dump.
> (You can view source before clicking to see what you
> are clicking on if you dont trust me :)
>
> > Howard Owen [email protected]   Octel Communications Corporation  1024/DC671C31 =
>

Ive tried this url, it does indeed core dump.

Just had a quick look at the core.  From first impressions, it's a global
overwrite.  Therefore we're not overwriting a flushed stack frame, so a
syslog(3) style exploit is impossible.

Global overwrites can be exploited, but due to the scenario we're looking
at, I'd consider exploit chances to be very low indeed.

Cheers,

Neil
--
Let the Mystery Be, So Watcha Want, Longing In Their Hearts, Hate My Way,
M-Bike, Safari, Uncle June and Aunt Kiyoti, Daisy Dead Petals, Tuff Gnarl.

     ...like a badger with an afro throwing sparklers at the Pope...


-- 
sameer						Voice:   510-601-9777
Community ConneXion				FAX:	 510-601-9734
An Internet Privacy Provider			Dialin:  510-658-6376
http://www.c2.org (or login as "guest")			[email protected]

Follow-Ups:
- Re: Ray Cromwell: Another Netscape Bug (and possible security (fwd)
  - From: Ray Cromwell <[email protected]>

Prev by Date: 53 of the FAX No's. are GOOD!
Next by Date: Re: "Notes" to be Eclipsed by "Netscape"
Prev by thread: 53 of the FAX No's. are GOOD!
Next by thread: Re: Ray Cromwell: Another Netscape Bug (and possible security (fwd)
Index(es):
- Date
- Thread