Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Ray Cromwell: Another Netscape Bug (and possible security
From: neil () legless demon co uk (Neil Woods)
Date: Thu, 28 Sep 1995 05:29:42 +0100

On my BSDI2.0 machine running Netscape 1.1N, this causes a segmentation
fault and subsequent coredump. GDB reports nothing useable (stripped

  I cannot reproduce this bug on the following platforms:

        Solaris 2.5 beta/Netscape 1.1N

I've reproduced it fine under sol2.4 1.1N.  The page
I tested from is http://www.aloha.net/~newsham/test.html.
Simply click on the long test url and core dump.
(You can view source before clicking to see what you
are clicking on if you dont trust me :)

Howard Owen hbo () octel com   Octel Communications Corporation  1024/DC671C31 =

Further investigation shows this is indeed a stack overwrite.  However due
to the window restore/save mechanism of the sparc, we're not able
to overwrite the return address for this function.  However, it may
be possible to overwrite a return address from a previously flushed
frame (this is architecture specific).

The core dump obtained from this url, is due to passing two local pointers
which have been overwritten.  In order to progress further, these would
need to point to valid addresses.  Normally, these point to global or static
buffers containing http:... strings.

I hope this helps those who are developing exploits.


Let the Mystery Be, So Watcha Want, Longing In Their Hearts, Hate My Way,
M-Bike, Safari, Uncle June and Aunt Kiyoti, Daisy Dead Petals, Tuff Gnarl.

     ...like a badger with an afro throwing sparklers at the Pope...

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]