zero-width gif: exploit PoC for NS6.2.3 (fixed in 7.0) [Was: GIFs Good, Flash Executable Bad]

From: zen-parse (zen-parseat_private)
Date: Thu Sep 05 2002 - 23:47:51 PDT

Next message: Geoff Craig: "Veritas Backup Exec opens networks for NetBIOS based attacks?"

Previous message: Rapid 7 Security Advisories: "Rapid 7 Advisory R7-0005: ZMerge Insecure Default ACLs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue Sep 03 2002, Blue Boar wrote:
> This is one of my favorite vulnerabilities:
> http://online.securityfocus.com/bid/1503
> It's an overflow in the JPEG handler in Netscape.
> 
> I don't know of one for GIFs off the top of my head, but the same
> principle applies. If there's a viewer with a bug, then there is a
> possibility that it can be used to exploit the client.
> 
>                                                 BB

Zero width GIF file can cause exploitable heap corruption.
(Or: "Why not to use a graphical browser")

Vendor contacted:		17 Jul 2002
Internally patched:		19 Jul 2002 (according to changelog)
Received notification of patch: 29 Aug 2002 (via email)

http://crash.ihug.co.nz/~Sneuro/zerogif/

Contains an example exploit for malformed GIFs under Netscape 6.2.3
Also affects a number of other browsers, including Mozilla (of course) and 
manages to kill Opera.

Example exploit (when it works properly) should create ~/.mashrc with
a sample replacement for ~/.bashrc.

Certain values in 'generic.c' and possibly other files will need changing 
depending on library addresses.

Comments in pngshellcode.c are related to another exploit for Netscape 
6.2.3... once I found one way to get data into known locations, I kept it.

Certain utilities (pnmtopng and ppmtogif) called by these programs are in
the netpbm-progs package.

$ make pngshellcode; ./pngshellcode
$ make enc; ./enc >mapfile.ppm ; make generic; ./generic 

These commands will make the shellcode and the gif file.

This exploit is extremely "Proof of Concept" code. Sorry about the 
system() calls.

This issue is patched in Netscape 7.0 and latest version of Mozilla.

There are a few other exploitable issues patched in Netscape 6.2.3
relating to other image formats. 

I expect (hope for?) an advisory from Netscape at some point soon for this 
and the other patched issues. 

-- zen-parse

-- 
-------------------------------------------------------------------------
1) If this message was posted to a public forum by zen-parseat_private, it 
may be redistributed without modification. 
2) In any other case the contents of this message is confidential and not 
to be distributed in any form without express permission from the author.
This document may contain Unclassified Controlled Nuclear Information.

Next message: Geoff Craig: "Veritas Backup Exec opens networks for NetBIOS based attacks?"
Previous message: Rapid 7 Security Advisories: "Rapid 7 Advisory R7-0005: ZMerge Insecure Default ACLs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Sep 06 2002 - 13:22:36 PDT