Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Ray Cromwell: Another Netscape Bug (and possible security
From: neil () legless demon co uk (Neil Woods)
Date: Thu, 28 Sep 1995 04:24:06 +0100

On my BSDI2.0 machine running Netscape 1.1N, this causes a segmentation
fault and subsequent coredump. GDB reports nothing useable (stripped

  I cannot reproduce this bug on the following platforms:

        Solaris 2.5 beta/Netscape 1.1N

I've reproduced it fine under sol2.4 1.1N.  The page
I tested from is http://www.aloha.net/~newsham/test.html.
Simply click on the long test url and core dump.
(You can view source before clicking to see what you
are clicking on if you dont trust me :)

Howard Owen hbo () octel com   Octel Communications Corporation  1024/DC671C31 =

Ive tried this url, it does indeed core dump.

Just had a quick look at the core.  From first impressions, it's a global
overwrite.  Therefore we're not overwriting a flushed stack frame, so a
syslog(3) style exploit is impossible.

Global overwrites can be exploited, but due to the scenario we're looking
at, I'd consider exploit chances to be very low indeed.


Let the Mystery Be, So Watcha Want, Longing In Their Hearts, Hate My Way,
M-Bike, Safari, Uncle June and Aunt Kiyoti, Daisy Dead Petals, Tuff Gnarl.

     ...like a badger with an afro throwing sparklers at the Pope...

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]