OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq archives for 2nd quarter (Apr-Jun) 1998: Netscape Client DoS.

Netscape Client DoS.

Robert Thomas (robRPI.NET.AU)
Mon, 18 May 1998 13:49:10 +1000

After making a typo in a proxy.pac (Proxy AutoConfiguration File), I
discovered that as soon as netscape loaded the modified proxy.pac file,
it GPF'd.  The problem was with the return string.. Here is an example of
a valid string:

return "PROXY 10.1.1.1:8080; PROXY 10.1.1.2:8080; DIRECT";

which will first query the proxy on 10.1.1.1 port 8080, then 10.1.1.2, and
if both of those are down it will use direct connections.  The string I
was using was:

return "PROXY 10.1.1.18080; PROXY 10.1.1.2:8080; DIRECT";

I missed the colon. Now I would expect it to do the smallest bit of error
checking to verify that 18080 is less than 256.  No, it doesn't, and
netscape dies -- This also makes netscape basically unuseable until you
physically disonnect the network cable and turn proxies off or set them
to manual, or manage to hit 'stop' before it loads the proxy.pac file.
(Of course, you can fix the proxy.pac file as well 8-)

A less than highly-clued ISP/Intranet Manager would probably miss that
someone has maliciously changed his proxy.pac file, and have no idea why
all his netscape clients are crashing on bootup.

I have not checked that this happens with IE -- As this is an IE-Free-Zone.
I assume someone else can try and confirm/deny this.  This was happening
with Communicator 4.04, I assume it would be the same with previous
versions.

                                                        --Robert Thomas
                                                        RP Internet Services
                                                        Sydney, Australia

--//$35/month Internet Access in 02, 045 and 047 areas. ISDN/FR/DDS/K56\\--