lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0211261830340.8102-100000@clarity.local>
From: zen-parse at gmx.net (zen-parse)
Subject: Netscape Problems.

In a message on Bugtraq, Last Stage of Delirium wrote:
(http://msgs.securepoint.com/cgi-bin/get/bugtraq0211/255.html)

> We can understand why there was no response from Netscape since the
> three[1][3][4] vulnerabilities affecting Netscape web browser were
> submitted to the Netscape Bug Bounty program which entitles 1000 USD for
> a security bug in Netscape Communicator to its founder. Netscape seems
> to be another American company that does not seem to be fulfilling
> public obligations made through company's web pages
> (http://home.netscape.com/security/bugbounty.html). While we were
> waiting for Netscape's reponse to our vulnerability report, Netscape
> changed(!)  Reward Guidelines of the Bug Bounty program so that now only
> bugs in Netscape 7.x are rewarded (previously both latest 6.x and 4.8
> versions were taken into account). Nice move, huh ?

You might want to see the September 13 email reference below, and then
maybe you could still hold some hope out. Maybe. A little. Or something.)



This email was written on Tuesday 26 November, 6.55pm NZDT.

As of this time, I have yet to recieve any confirmation that I would be 
getting any of the offered Bug Bounty. I have been informed I am eligble, 
however, 

bash-2.04$ egrep '^From: bugzilla-daemon@...illa.org$' mail/Bugz|wc -l
90
bash-2.04$

90 Messages related to the following bugs dated between

List of bugs and bugzilla.mozilla.org bug names:

PNG1       - 155222 - width integer overflow
PNG2       - ?????? - alpha size integer overflow
JAR1       - 157646 - Incorrect uncompressed size causes heap corruption
Javascript - 157652 - sort() and size integer overflow
GIF        - 157989 - 0 width GIF

Another bug not mentioned.

And I can't remember if I have told them about the integer overflow in the 
pop3 mail handler,

mozilla/mailnews/local/src/nsPop3Protocol.cpp:
...
         PR_CALLOC(sizeof(Pop3MsgInfo) * m_pop3ConData->number_of_messages);
...

where m_pop3ConData->number_of_messages is a server supplied value, and
sizeof(Pop3MsgInfo) is 8.

How would this be exploitable? Well, if someone offered free email with
POP3 access, there would be at least some people who would take advantage
of it. A malicious server could then potentially take over the running
instance of Netscape/Mozilla.

(gdb) print/u 8 * 536870912 
$1 = 0
(gdb) 

If I told them about this, I never saw any email about it afterwards.
(I believe this is similar to:

http://online.securityfocus.com/bid/3164/discussion/

but I haven't looked at that bug, so I may be wrong.)


Netscape story
==============

Fixes:

 PNG1 & PNG2 were fixed with one extra check in 1.0.1/1.1

 JAR1 is/will be fixed in Mozilla 1.2(beta?)

 Javascript potentially exploitable problem was fixed, however not shown 
 to be definately exploitable, however that does not mean it definately is. 
 (Look at the source and see if you can work out how to. Need to 'guess' 
 where the sort is going to place things and need to cause the offsets it
 moves to be the places you need them to be.) (fixed 1.0.1/1.1)

 GIF has had exploit method released, fixed in Mozilla 1.0.1 and 1.1, I 
 believe. The shellcode may be helpful. (The shellcode is not optimal, but 
 at least it tends to work in a threaded environment.) (fixed 1.0.1/1.1(?))


Interesting parts of communications regarding these bugs.

[Please note: some dates below may be approximate due to timezone
differences in the headers. Sorry.]

June 29
=======
Completed writeup of heap corruption in Netscape and Mozilla, via PNG.

June 30
=======
Reported PNG via Netscape Security Bug form.

July 1
======
Bug added to bugzilla.mozilla.org

[Bug 155222] Heap corruption in PNG library
http://bugzilla.mozilla.org/show_bug.cgi?id=155222

July 7
======
Notified Microsoft of potential problem in Javascript sort() method.
(Netscape was notified on the same day, I believe.)

July 9
======
Microsoft replies with regard to Javascript.

July 13 
======= 
Microsoft closes off on JS bug. Patch becomes available eventually, as 
threat was not seen as high by Microsoft.

+++++++

Netscape informed of second PNG bug/exploit method.

== Sent ==
 Date: Sat, 13 Jul 2002 04:04:56 +1200 (NZST)
 From: zen-parse <zen-parse@....net>
 To: Mitchell Stoltz <mstoltz@...scape.com>
 Subject: exploitable heap corruption via PNG Alpha data

(Different section of code, however, similar root cause.)

July 17
=======
Fix checked into 1.0.1 tree for bug 155222. (Initial PNG bug.)
Notified Netscape for GIF zero width bug vuln.

August 5
========
[An update for 155222]
------ Additional Comments From randeg@...m.rpi.edu  2002-08-05 06:16 -------
Since this bug was discussed publicly in the libpng mailing lists
and is described and fixed publicly in libpng-1.2.4/1.0.14,
perhaps it can be made a "public" Mozilla bug.

August 10
=========
Emailed Mitchell Stoltz <mstoltz@...scape.com> with regards to resolution
time for other PNG bug and jar bugs.

August 12
=========
[Bug 157646] Possible heap corruption in libjar
http://bugzilla.mozilla.org/show_bug.cgi?id=157646

Added to CC list for bug. 

August 27
=========

Another bug reported, but not listed here. An exploitable bug in part of a
security check. More info later.

August 29
=========
[Bug 157989] Possible heap corruption with 0-width GIF
http://bugzilla.mozilla.org/show_bug.cgi?id=157989
[Bug 157652] Crash, possible heap corruption in JS Array.prototype.sort
http://bugzilla.mozilla.org/show_bug.cgi?id=157652

Added to CC list for bugs.

September 6
===========
Released details of Netscape/Mozilla/other browsers 0-width GIF bug.

== Sent ==
 Date: Fri, 6 Sep 2002 18:47:51 +1200 (NZST)
 From: zen-parse <zen-parse@....net>
 To: vuln-dev@...urityfocus.com, full-disclosure@...ts.netsys.com,
      bugtraq@...urityfocus.com
 Subject: zero-width gif: exploit PoC for NS6.2.3 (fixed in 7.0) [Was: 
          GIFs Good, Flash Executable Bad]
==
September 13
============
Queried about elegibility for Bug Bounty.

== Sent ==
 Date: Fri, 13 Sep 2002 23:54:58 +1200 (NZST)
 From: zen-parse <zen-parse@....net>
 To: Mitchell Stoltz <mstoltz@...scape.com>
 Subject: Query regarding Bug Bounty Program

(re: http://wp.netscape.com/security/bugbounty.html )

Which of the bugs I have submitted would qualify for this?

At the time reported the version required was 6.x, and the .jar problems 
are still exploitable (by a slightly different method) in the latest 7.x 
version.
==

== Reply ==
All of the bugs you have sent us potentially qualify, since you sent 
them to us before we released Netscape 7 and they affected the most 
current version at the time (6.2). At this point, I'm still trying to 
determine how serious the impact of some of your bugs are - I'll let you 
know soon about the bounty award.
        Regards,
            Mitch
==

October 15
==========
30 days pass with no news on bug bounty. 

== Sent ==
 Date: Tue, 15 Oct 2002 04:43:30 +1300 (NZDT)
 From: zen-parse <zen-parse@....net>
 To: Mitchell Stoltz <mstoltz@...scape.com>
 Subject: Re: Query regarding Bug Bounty Program

On Fri, 13 Sep 2002, Mitchell Stoltz wrote:

> All of the bugs you have sent us potentially qualify, since you sent 
> them to us before we released Netscape 7 and they affected the most 
> current version at the time (6.2). At this point, I'm still trying to 
> determine how serious the impact of some of your bugs are - I'll let you 
> know soon about the bounty award.
>         Regards,
>             Mitch
> 

Do you have a time frame for when this will be happening?

==

Received a reply the same day:
== Reply ==
Within the next few weeks. I'm actively working on that.
        -Mitch

==

November 13
===========
Almost another month passes before I decide to prompt some more.

== Sent ==
 Date: Wed, 13 Nov 2002 05:35:52 +1300 (NZDT)
 From: zen-parse <zen-parse@....net>
 To: Mitchell Stoltz <mstoltz@...scape.com>
 Subject: Re: Query regarding Bug Bounty Program

Just checking if there is any update in the timeframe, or if there is
anything information you need that might help with determining the impact
of the issues I reported?

-- zen-parse

On Mon, 14 Oct 2002, Mitchell Stoltz wrote:

> Within the next few weeks. I'm actively working on that.
>         -Mitch
==


November 15 
=========== 
Release vulnerability details on jar: handler. This bug now has been known
for 4 months without a fix being publicly available.

November 20
===========
Bugzilla mail tells me:


== Received ==
 Date: Wed, 20 Nov 2002 13:06:42 -0800 (PST)
 From: bugzilla-daemon@...illa.org
 To: neuro@...co.nz
 Subject: (that bug i mentioned about in August 27.)



bsharma@...scape.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |VERIFIED
           Keywords|fixed1.0.2                  |verified1.0.2




------- Additional Comments From bsharma@...scape.com  2002-11-20 13:06 -------
Verified on 2002-11-20-branch build on Linux. Loaded the attached test case and
the crash does not happen.The page shows up with the line streaks.

==

Looks like it is finally fixed.


November 21
===========
No reply received yet regarding money.

== Sent ==
 Date: Thu, 21 Nov 2002 15:52:35 +1300 (NZDT)
 From: zen-parse <zen-parse@....net>
 To: Mitchell Stoltz <mstoltz@...scape.com>
 Subject: Re: Query regarding Bug Bounty Program (fwd)

Hello? Anyone there?

==


-- zen-parse

In case people haven't noticed yet, Open Source is not more secure.

-- 
-------------------------------------------------------------------------
1) If this message was posted to a public forum by zen-parse@....net, it 
may be redistributed without modification. 
2) In any other case the contents of this message is confidential and not 
to be distributed in any form without express permission from the author.




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ