In a message on Bugtraq, Last Stage of Delirium wrote: (http://msgs.securepoint.com/cgi-bin/get/bugtraq0211/255.html) > We can understand why there was no response from Netscape since the > three[1][3][4] vulnerabilities affecting Netscape web browser were > submitted to the Netscape Bug Bounty program which entitles 1000 USD for > a security bug in Netscape Communicator to its founder. Netscape seems > to be another American company that does not seem to be fulfilling > public obligations made through company's web pages > (http://home.netscape.com/security/bugbounty.html). While we were > waiting for Netscape's reponse to our vulnerability report, Netscape > changed(!) Reward Guidelines of the Bug Bounty program so that now only > bugs in Netscape 7.x are rewarded (previously both latest 6.x and 4.8 > versions were taken into account). Nice move, huh ? You might want to see the September 13 email reference below, and then maybe you could still hold some hope out. Maybe. A little. Or something.) This email was written on Tuesday 26 November, 6.55pm NZDT. As of this time, I have yet to recieve any confirmation that I would be getting any of the offered Bug Bounty. I have been informed I am eligble, however, bash-2.04$ egrep '^From: bugzilla-daemonat_private$' mail/Bugz|wc -l 90 bash-2.04$ 90 Messages related to the following bugs dated between List of bugs and bugzilla.mozilla.org bug names: PNG1 - 155222 - width integer overflow PNG2 - ?????? - alpha size integer overflow JAR1 - 157646 - Incorrect uncompressed size causes heap corruption Javascript - 157652 - sort() and size integer overflow GIF - 157989 - 0 width GIF Another bug not mentioned. And I can't remember if I have told them about the integer overflow in the pop3 mail handler, mozilla/mailnews/local/src/nsPop3Protocol.cpp: ... PR_CALLOC(sizeof(Pop3MsgInfo) * m_pop3ConData->number_of_messages); ... where m_pop3ConData->number_of_messages is a server supplied value, and sizeof(Pop3MsgInfo) is 8. How would this be exploitable? Well, if someone offered free email with POP3 access, there would be at least some people who would take advantage of it. A malicious server could then potentially take over the running instance of Netscape/Mozilla. (gdb) print/u 8 * 536870912 $1 = 0 (gdb) If I told them about this, I never saw any email about it afterwards. (I believe this is similar to: http://online.securityfocus.com/bid/3164/discussion/ but I haven't looked at that bug, so I may be wrong.) Netscape story ============== Fixes: PNG1 & PNG2 were fixed with one extra check in 1.0.1/1.1 JAR1 is/will be fixed in Mozilla 1.2(beta?) Javascript potentially exploitable problem was fixed, however not shown to be definately exploitable, however that does not mean it definately is. (Look at the source and see if you can work out how to. Need to 'guess' where the sort is going to place things and need to cause the offsets it moves to be the places you need them to be.) (fixed 1.0.1/1.1) GIF has had exploit method released, fixed in Mozilla 1.0.1 and 1.1, I believe. The shellcode may be helpful. (The shellcode is not optimal, but at least it tends to work in a threaded environment.) (fixed 1.0.1/1.1(?)) Interesting parts of communications regarding these bugs. [Please note: some dates below may be approximate due to timezone differences in the headers. Sorry.] June 29 ======= Completed writeup of heap corruption in Netscape and Mozilla, via PNG. June 30 ======= Reported PNG via Netscape Security Bug form. July 1 ====== Bug added to bugzilla.mozilla.org [Bug 155222] Heap corruption in PNG library http://bugzilla.mozilla.org/show_bug.cgi?id=155222 July 7 ====== Notified Microsoft of potential problem in Javascript sort() method. (Netscape was notified on the same day, I believe.) July 9 ====== Microsoft replies with regard to Javascript. July 13 ======= Microsoft closes off on JS bug. Patch becomes available eventually, as threat was not seen as high by Microsoft. +++++++ Netscape informed of second PNG bug/exploit method. == Sent == Date: Sat, 13 Jul 2002 04:04:56 +1200 (NZST) From: zen-parse <zen-parseat_private> To: Mitchell Stoltz <mstoltzat_private> Subject: exploitable heap corruption via PNG Alpha data (Different section of code, however, similar root cause.) July 17 ======= Fix checked into 1.0.1 tree for bug 155222. (Initial PNG bug.) Notified Netscape for GIF zero width bug vuln. August 5 ======== [An update for 155222] ------ Additional Comments From randegat_private 2002-08-05 06:16 ------- Since this bug was discussed publicly in the libpng mailing lists and is described and fixed publicly in libpng-1.2.4/1.0.14, perhaps it can be made a "public" Mozilla bug. August 10 ========= Emailed Mitchell Stoltz <mstoltzat_private> with regards to resolution time for other PNG bug and jar bugs. August 12 ========= [Bug 157646] Possible heap corruption in libjar http://bugzilla.mozilla.org/show_bug.cgi?id=157646 Added to CC list for bug. August 27 ========= Another bug reported, but not listed here. An exploitable bug in part of a security check. More info later. August 29 ========= [Bug 157989] Possible heap corruption with 0-width GIF http://bugzilla.mozilla.org/show_bug.cgi?id=157989 [Bug 157652] Crash, possible heap corruption in JS Array.prototype.sort http://bugzilla.mozilla.org/show_bug.cgi?id=157652 Added to CC list for bugs. September 6 =========== Released details of Netscape/Mozilla/other browsers 0-width GIF bug. == Sent == Date: Fri, 6 Sep 2002 18:47:51 +1200 (NZST) From: zen-parse <zen-parseat_private> To: vuln-devat_private, full-disclosureat_private, bugtraqat_private Subject: zero-width gif: exploit PoC for NS6.2.3 (fixed in 7.0) [Was: GIFs Good, Flash Executable Bad] == September 13 ============ Queried about elegibility for Bug Bounty. == Sent == Date: Fri, 13 Sep 2002 23:54:58 +1200 (NZST) From: zen-parse <zen-parseat_private> To: Mitchell Stoltz <mstoltzat_private> Subject: Query regarding Bug Bounty Program (re: http://wp.netscape.com/security/bugbounty.html ) Which of the bugs I have submitted would qualify for this? At the time reported the version required was 6.x, and the .jar problems are still exploitable (by a slightly different method) in the latest 7.x version. == == Reply == All of the bugs you have sent us potentially qualify, since you sent them to us before we released Netscape 7 and they affected the most current version at the time (6.2). At this point, I'm still trying to determine how serious the impact of some of your bugs are - I'll let you know soon about the bounty award. Regards, Mitch == October 15 ========== 30 days pass with no news on bug bounty. == Sent == Date: Tue, 15 Oct 2002 04:43:30 +1300 (NZDT) From: zen-parse <zen-parseat_private> To: Mitchell Stoltz <mstoltzat_private> Subject: Re: Query regarding Bug Bounty Program On Fri, 13 Sep 2002, Mitchell Stoltz wrote: > All of the bugs you have sent us potentially qualify, since you sent > them to us before we released Netscape 7 and they affected the most > current version at the time (6.2). At this point, I'm still trying to > determine how serious the impact of some of your bugs are - I'll let you > know soon about the bounty award. > Regards, > Mitch > Do you have a time frame for when this will be happening? == Received a reply the same day: == Reply == Within the next few weeks. I'm actively working on that. -Mitch == November 13 =========== Almost another month passes before I decide to prompt some more. == Sent == Date: Wed, 13 Nov 2002 05:35:52 +1300 (NZDT) From: zen-parse <zen-parseat_private> To: Mitchell Stoltz <mstoltzat_private> Subject: Re: Query regarding Bug Bounty Program Just checking if there is any update in the timeframe, or if there is anything information you need that might help with determining the impact of the issues I reported? -- zen-parse On Mon, 14 Oct 2002, Mitchell Stoltz wrote: > Within the next few weeks. I'm actively working on that. > -Mitch == November 15 =========== Release vulnerability details on jar: handler. This bug now has been known for 4 months without a fix being publicly available. November 20 =========== Bugzilla mail tells me: == Received == Date: Wed, 20 Nov 2002 13:06:42 -0800 (PST) From: bugzilla-daemonat_private To: neuroat_private Subject: (that bug i mentioned about in August 27.) bsharmaat_private changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |VERIFIED Keywords|fixed1.0.2 |verified1.0.2 ------- Additional Comments From bsharmaat_private 2002-11-20 13:06 ------- Verified on 2002-11-20-branch build on Linux. Loaded the attached test case and the crash does not happen.The page shows up with the line streaks. == Looks like it is finally fixed. November 21 =========== No reply received yet regarding money. == Sent == Date: Thu, 21 Nov 2002 15:52:35 +1300 (NZDT) From: zen-parse <zen-parseat_private> To: Mitchell Stoltz <mstoltzat_private> Subject: Re: Query regarding Bug Bounty Program (fwd) Hello? Anyone there? == -- zen-parse In case people haven't noticed yet, Open Source is not more secure. -- ------------------------------------------------------------------------- 1) If this message was posted to a public forum by zen-parseat_private, it may be redistributed without modification. 2) In any other case the contents of this message is confidential and not to be distributed in any form without express permission from the author.
This archive was generated by hypermail 2b30 : Tue Nov 26 2002 - 06:42:50 PST