Re: Netscape communicator 4.06J, 4.5J-4.6J, 4.61e Buffer Overflow

[brett () LARIAT ORG (Brett Glass)]

Your test scripts GPFed Netscape 4.51 on our lab's "victim" Windows 98 system,
but did not execute an exploit.

--Brett Glass

At 11:45 PM 9/2/99 +0900, DEF CON ZERO WINDOW wrote:
> Hi,
>
>  I discovered a buffer overflow bug which causes huge security hole on the `Netscape communicator 4.06J, 4.5J - 4.6J, 
> 4.61e( probably, a version 3.0 after all )'.
>
>  The problem of this application is in the handling of EMBED TAG, the buffer overflow is caused if the long string is 
> specified at "pluginspage" option.
>  I coded the exploit program to execute any command on the victim machine. I tested on the Windows98.
>
>  However, this program specifies immediately the address of the system() function which is defined on the msvcrt.dll, 
> this program does not work on the Windows machine which is installed the other version of msvcrt.dll (This program is 
> for Version 6.00.8397).
>
>  The reason that I specified the immediate address of the function is the buffer which can be written the exploit 
> code is very short, the size of writable buffer is about 83 bytes. The buffer is too small to put the code which gets 
> the address of the functions which are defined on the "msvcrt.dll".
>
>  However, this problem will be solved if the code that searchs the attack code and executes that code is put on the 
> exploit code. The attack code also can be written on the other buffer.
>
> # An attack code could be written in 2300 bytes to stack_bottom.
>
>  The trojan or virus can be written on the attack code, this problem is very serious.
>
>  In this case, the stack pointer (ESP) when the overflow is caused differs by the environment. So, the method of the 
> RET address overwrites can not be used to exploit. This example overwrites the handling address of the access 
> violation, the exploit code is called when the access violation is caused. When the access violation is caused, the 
> address of the exploit buffer is stored in the EBX register. So, I overwrite the handling address to the code that 
> the "JMP EBX" instruction is written.
>
>  You can quickly test this exploit on my site. I have prepared some versions of exploits that execute "welcome.exe" 
> on your Windows98 machine. If you are user of the specified version of netscape, please test. I did not code the 
> exploit program for the WindowsNT and Windows95, but they also contain same problem.
>
> ... and, This problem can't be avoided.
>
>
> [ exploit demo page ]
>
> exec "welcome.exe" - nc4x_ex.c
> http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_ex.cgi
>
> exec "notepad.exe"
> http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_ex2.cgi
>
> ---
>
> [ exploit test ]
>
> blue screen(int 01h)
> http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_bs01.htm
> http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_bs01.htm
>
>
> [ document(japanese) ]
> http://www.ugtop.com/defcon0/hc/nc4x_ex_demo.htm
>
>
> special thanks:
> UNYUN( The Shadow Penguin Security )
> http://shadowpenguin.backsection.net/
>
>
>
> --
> : R00t Zer0 -   http://www.ugtop.com/defcon0/index.htm           :
> : E-Mail: defcon0 () ugtop com                                      :
> : --                                                          -- :
> : "HP/UX is the worst OS for the hacker..." - Mark Abene         :