This bug may make it possible to execute arbitrary code on any Netscape browser on the net. Perry ------- Forwarded Message From: Ray Cromwell <rjc@clark.net> Message-Id: <199509220612.CAA11441@clark.net> Subject: Another Netscape Bug (and possible security hole) To: cypherpunks@toad.com Date: Fri, 22 Sep 1995 02:12:22 -0400 (EDT) X-Mailer: ELM [version 2.4 PL24alpha3] I've found a Netscape bug which I suspect is a buffer overflow and may have the potential for serious damage. If it is an overflow bug, then it may be possible to infect every computer which accesses a web page with Netscape. To see the bug, create an htm file containing the following: <a href="http://foo.bar.foo.foo.foo.foo.foo.foo.foo.foo.foo.foo.foo.foofoo.\ bar.foo.foo.foo.foo.foo.foo.foo.foo.foo.foo.foo.foofoo.bar.foo.foo.foo.foo.\ foo.foo.foo.foo.foo.foo.foo.foofoo.bar.foo.foo.foo.foo.foo.foo.foo.foo.foo.\ foo.foo.foofoo.bar.foo.foo.foo.foo.foo.foo.foo.foo.foo.foo.foo.foofoo.bar.\ foo.foo.foo.foo.foo.foo.foo.foo.foo.foo.foo.foofoo.bar.foo.foo.foo.foo.foo.\ ...>blah</a> On my BSDI2.0 machine running Netscape 1.1N, this causes a segmentation fault and subsequent coredump. GDB reports nothing useable (stripped executable) As you can see, I just chose an extremely long domain name. I guessed that the authors of netscape probably thought something like "well, a buffer size of 256 characters is good enough to hold any domain" It's definately the domain that's causing it, and not the length of the URL or the data after the domain name. I also tried to overflow some netscape servers using similar techniques (and shell metacharacters in all sorts of URLs), to no avail. I suspect a similar attack may work against the Netscape Server if it is proxying. Does anyone have a disassembly of Netscape, or more specifically, a disassembly of the URL parse and domain lookup routines? I'd be happy to collaborate and "Hack Netscape" ;-) Happy Hacking, - -Ray ------- End of Forwarded Message