Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Buffer Overflow still exists in Netscape <= 4.76
From: Henryk Plötz <HenrykPloetz () GMX DE>
Date: Tue, 23 Jan 2001 14:30:12 +0100

Hi fish stiqz,

   Well, after reading you first message regarding this, I tried your
tool and loaded a page with 20000 A's into my netscape and it crashed
the same moment. Impressive.

   So, I decided to try this again and see, whether I could reproduce
the different behavior with different sizes you wrote about.
I started with 1000 A's and gradually increased it, always hitting
reload after i generated a new file. And ... nothing happened.
   I tried hitting reload multiple times, hitting shift+reload and
viewing the source and apart from the time it took to load big pages,
absolutely nothing changed. When I got a file with 1M A's and still
nothing happened, I loaded this file into a newly opened window and ...
crash.

   So I tried this again and, if you first generate a page with a form
that only has 1000 or so A's, then change that file to have much more
A's and only hit reload (Not open a new window and open the file there,
or hit Back - Forward in the history) it won't crash.

   Another thing to note: it crashes after loading all the A's but not
before reaching End-Of-File.

   I'm not using a rpm but got the binary from netscape (well, I think
so):

$ md5sum netscape-4.76.tgz
577f4545020a6bcbd016db549fa16f61  netscape-4.76.tgz

   And yet two other notes:
In this part of the universe netscape dies of SIGBUS and not SIGSEGV
(see gdb-dump at the end of this posting)
I also tried a file with 20M A's and the only thing that I noticed was a
significant decrease in loading speed after loading some 34% or so.

Exactly what did you do that it didn't segfault on you?  In all my tests
Netscape has died either as soon as the page loads or as soon as you try
to go somewhere else (or reload).

   Maybe Frank did what I did, as my Netscape really won't die of
anything when using a small file first.

$ gdb netscape core
GNU gdb 5.0
Copyright 2000 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you
are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB.  Type "show warranty" for
details.
This GDB was configured as "i686-pc-linux-gnu"...(no debugging symbols
found)...
Core was generated by `netscape crash.htm'.
Program terminated with signal 7, Bus error.
Reading symbols from /lib/libBrokenLocale.so.1...done.
Loaded symbols for /lib/libBrokenLocale.so.1
Reading symbols from /usr/X11R6/lib/libXt.so.6...done.
Loaded symbols for /usr/X11R6/lib/libXt.so.6
Reading symbols from /usr/X11R6/lib/libSM.so.6...done.
Loaded symbols for /usr/X11R6/lib/libSM.so.6
Reading symbols from /usr/X11R6/lib/libICE.so.6...done.
Loaded symbols for /usr/X11R6/lib/libICE.so.6
Reading symbols from /usr/X11R6/lib/libXmu.so.6...done.
Loaded symbols for /usr/X11R6/lib/libXmu.so.6
Reading symbols from /usr/X11R6/lib/libXpm.so.4...done.
Loaded symbols for /usr/X11R6/lib/libXpm.so.4
Reading symbols from /usr/X11R6/lib/libXext.so.6...done.
Loaded symbols for /usr/X11R6/lib/libXext.so.6
Reading symbols from /usr/X11R6/lib/libX11.so.6...done.
Loaded symbols for /usr/X11R6/lib/libX11.so.6
Reading symbols from /lib/libdl.so.2...done.
Loaded symbols for /lib/libdl.so.2
Reading symbols from /usr/lib/libstdc++-libc6.1-1.so.2...done.
Loaded symbols for /usr/lib/libstdc++-libc6.1-1.so.2
Reading symbols from /lib/libm.so.6...done.
Loaded symbols for /lib/libm.so.6
Reading symbols from /lib/libc.so.6...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...done.
Loaded symbols for /lib/ld-linux.so.2
Reading symbols from /lib/libnss_files.so.2...done.
Loaded symbols for /lib/libnss_files.so.2
Reading symbols from /lib/libnss_dns.so.2...done.
Loaded symbols for /lib/libnss_dns.so.2
Reading symbols from /lib/libresolv.so.2...done.
Loaded symbols for /lib/libresolv.so.2
#0  0x401fca71 in __kill () from /lib/libc.so.6
(gdb) bt
#0  0x401fca71 in __kill () from /lib/libc.so.6
#1  0x8940170 in PR_ClearPendingException ()
#2  <signal handler called>
#3  0x4022c68e in _IO_sgetn (fp=0x92b9700, data=0x8ebd000, n=4096) at
genops.c:431
#4  0x40227c03 in _IO_fread (buf=0x8ebd000, size=1, count=4096,
fp=0x92b9700) at iofread.c:42
#5  0x83d2ed1 in cache_DBDataToExtCacheDBInfoStruct ()
#6  0x83d3d26 in NET_ProcessFile ()
#7  0x83dd2d7 in NET_ProcessNet ()
#8  0x82ce0ab in fe_GetSecondaryURL ()
#9  0x4003d3a1 in XtAppProcessEvent () from /usr/X11R6/lib/libXt.so.6
#10 0x82bd5cc in fe_EventLoop ()
#11 0x82bffc5 in main ()
#12 0x401f6a5e in __libc_start_main (main=0x82be7a4 <main>, argc=2,
argv=0xbffff874, init=0x827f548 <_init>, fini=0x894914c <_fini>,
rtld_fini=0x4000aa20 <_dl_fini>,
    stack_end=0xbffff86c) at ../sysdeps/generic/libc-start.c:92
--
Henryk Plötz
Grüße von der Ostsee

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault