lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0209061816390.26824-100000@clarity.local>
From: zen-parse at gmx.net (zen-parse)
Subject: zero-width gif: exploit PoC for NS6.2.3 (fixed in 7.0) [Was: GIFs
 Good, Flash Executable Bad]

On Tue Sep 03 2002, Blue Boar wrote:
> This is one of my favorite vulnerabilities:
> http://online.securityfocus.com/bid/1503
> It's an overflow in the JPEG handler in Netscape.
> 
> I don't know of one for GIFs off the top of my head, but the same
> principle applies. If there's a viewer with a bug, then there is a
> possibility that it can be used to exploit the client.
> 
>                                                 BB

Zero width GIF file can cause exploitable heap corruption.
(Or: "Why not to use a graphical browser")

Vendor contacted:		17 Jul 2002
Internally patched:		19 Jul 2002 (according to changelog)
Received notification of patch: 29 Aug 2002 (via email)

http://crash.ihug.co.nz/~Sneuro/zerogif/

Contains an example exploit for malformed GIFs under Netscape 6.2.3
Also affects a number of other browsers, including Mozilla (of course) and 
manages to kill Opera.

Example exploit (when it works properly) should create ~/.mashrc with
a sample replacement for ~/.bashrc.

Certain values in 'generic.c' and possibly other files will need changing 
depending on library addresses.

Comments in pngshellcode.c are related to another exploit for Netscape 
6.2.3... once I found one way to get data into known locations, I kept it.

Certain utilities (pnmtopng and ppmtogif) called by these programs are in
the netpbm-progs package.

$ make pngshellcode; ./pngshellcode
$ make enc; ./enc >mapfile.ppm ; make generic; ./generic 

These commands will make the shellcode and the gif file.

This exploit is extremely "Proof of Concept" code. Sorry about the 
system() calls.

This issue is patched in Netscape 7.0 and latest version of Mozilla.

There are a few other exploitable issues patched in Netscape 6.2.3
relating to other image formats. 

I expect (hope for?) an advisory from Netscape at some point soon for this 
and the other patched issues. 

-- zen-parse

-- 
-------------------------------------------------------------------------
1) If this message was posted to a public forum by zen-parse@....net, it 
may be redistributed without modification. 
2) In any other case the contents of this message is confidential and not 
to be distributed in any form without express permission from the author.
This document may contain Unclassified Controlled Nuclear Information.




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ