Home page logo
/

bugtraq logo Bugtraq mailing list archives

Netscape Navigator buffer overflow
From: Michal Zalewski <lcamtuf () DIONE IDS PL>
Date: Thu, 28 Sep 2000 18:45:41 +0200

Haven't seen bugreport on it, so I decided to publish this vulnerability.
In fact it's pretty old, but still unpublished: Netscape Navigator is
vulnerable to trivial, remote buffer overflow attack when viewing prepared
html:

<form action=something method=something>
<input type=password value=reallylongstring...>
...other form tags...
</form>

If buffer is reasonably long, Netscape crashes with SEGV while trying to
parse this tag (it happens around 16 kB of junk as value=) while calling
function XFE_GetFormElementInfo(). It is not a stack overflow, but, as
some pointers are overwritten, it seems to be exploitable. If someone has
free time and good will, could try - recall JPEG comment heap overflow.

Only type=password is vulnerable to this attack.

_______________________________________________________
Michal Zalewski [lcamtuf () tpi pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=


  By Date           By Thread  

Current thread:
  • Netscape Navigator buffer overflow Michal Zalewski (Sep 28)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault