Hi, I discovered a buffer overflow bug which causes huge security hole on the `Netscape communicator 4.06J, 4.5J - 4.6J, 4.61e( probably, a version 3.0 after all )'. The problem of this application is in the handling of EMBED TAG, the buffer overflow is caused if the long string is specified at "pluginspage" option. I coded the exploit program to execute any command on the victim machine. I tested on the Windows98. However, this program specifies immediately the address of the system() function which is defined on the msvcrt.dll, this program does not work on the Windows machine which is installed the other version of msvcrt.dll (This program is for Version 6.00.8397). The reason that I specified the immediate address of the function is the buffer which can be written the exploit code is very short, the size of writable buffer is about 83 bytes. The buffer is too small to put the code which gets the address of the functions which are defined on the "msvcrt.dll". However, this problem will be solved if the code that searchs the attack code and executes that code is put on the exploit code. The attack code also can be written on the other buffer. # An attack code could be written in 2300 bytes to stack_bottom. The trojan or virus can be written on the attack code, this problem is very serious. In this case, the stack pointer (ESP) when the overflow is caused differs by the environment. So, the method of the RET address overwrites can not be used to exploit. This example overwrites the handling address of the access violation, the exploit code is called when the access violation is caused. When the access violation is caused, the address of the exploit buffer is stored in the EBX register. So, I overwrite the handling address to the code that the "JMP EBX" instruction is written. You can quickly test this exploit on my site. I have prepared some versions of exploits that execute "welcome.exe" on your Windows98 machine. If you are user of the specified version of netscape, please test. I did not code the exploit program for the WindowsNT and Windows95, but they also contain same problem. ... and, This problem can't be avoided. [ exploit demo page ] exec "welcome.exe" - nc4x_ex.c http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_ex.cgi exec "notepad.exe" http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_ex2.cgi --- [ exploit test ] blue screen(int 01h) http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_bs01.htm http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_bs01.htm [ document(japanese) ] http://www.ugtop.com/defcon0/hc/nc4x_ex_demo.htm special thanks: UNYUN( The Shadow Penguin Security ) http://shadowpenguin.backsection.net/ -- : R00t Zer0 - http://www.ugtop.com/defcon0/index.htm : : E-Mail: defcon0at_private : : -- -- : : "HP/UX is the worst OS for the hacker..." - Mark Abene :
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:01:13 PDT