Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Ray Cromwell: Another Netscape Bug (and possible security
From: neil () legless demon co uk (Neil Woods)
Date: Thu, 28 Sep 1995 04:24:06 +0100



On my BSDI2.0 machine running Netscape 1.1N, this causes a segmentation
fault and subsequent coredump. GDB reports nothing useable (stripped
executable)

  I cannot reproduce this bug on the following platforms:

        Solaris 2.5 beta/Netscape 1.1N

I've reproduced it fine under sol2.4 1.1N.  The page
I tested from is http://www.aloha.net/~newsham/test.html.
Simply click on the long test url and core dump.
(You can view source before clicking to see what you
are clicking on if you dont trust me :)

Howard Owen hbo () octel com   Octel Communications Corporation  1024/DC671C31 =


Ive tried this url, it does indeed core dump.

Just had a quick look at the core.  From first impressions, it's a global
overwrite.  Therefore we're not overwriting a flushed stack frame, so a
syslog(3) style exploit is impossible.

Global overwrites can be exploited, but due to the scenario we're looking
at, I'd consider exploit chances to be very low indeed.

Cheers,

Neil
--
Let the Mystery Be, So Watcha Want, Longing In Their Hearts, Hate My Way,
M-Bike, Safari, Uncle June and Aunt Kiyoti, Daisy Dead Petals, Tuff Gnarl.

     ...like a badger with an afro throwing sparklers at the Pope...



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]