Home page logo

bugtraq logo Bugtraq mailing list archives

Ray Cromwell: Another Netscape Bug (and possible security hole)
From: perry () piermont com (Perry E. Metzger)
Date: Fri, 22 Sep 1995 08:48:57 -0400

This bug may make it possible to execute arbitrary code on any
Netscape browser on the net.


------- Forwarded Message

From: Ray Cromwell <rjc () clark net>
Message-Id: <199509220612.CAA11441 () clark net>
Subject: Another Netscape Bug (and possible security hole)
To: cypherpunks () toad com
Date: Fri, 22 Sep 1995 02:12:22 -0400 (EDT)
X-Mailer: ELM [version 2.4 PL24alpha3]

I've found a Netscape bug which I suspect is a buffer overflow and
may have the potential for serious damage. If it is an overflow bug,
then it may be possible to infect every computer which accesses a web
page with Netscape. To see the bug, create an html file containing
the following:

<a href="http://foo.bar.foo.foo.foo.foo.foo.foo.foo.foo.foo.foo.foo.foofoo.\

On my BSDI2.0 machine running Netscape 1.1N, this causes a segmentation
fault and subsequent coredump. GDB reports nothing useable (stripped

As you can see, I just chose an extremely long domain name. I guessed
that the authors of netscape probably thought something like "well,
a buffer size of 256 characters is good enough to hold any domain"

It's definately the domain that's causing it, and not the length of
the URL or the data after the domain name.

I also tried to overflow some netscape servers using similar techniques
(and shell metacharacters in all sorts of URLs), to no avail. I suspect
a similar attack may work against the Netscape Server if it is proxying.

Does anyone have a disassembly of Netscape, or more specifically,
a disassembly of the URL parse and domain lookup routines? I'd be
happy to collaborate and "Hack Netscape" ;-)

Happy Hacking,
- -Ray

------- End of Forwarded Message

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]