The OpenNET Project / Index page
BSD, Linux, Cisco, Web, Palm, other unix
RUSSIAN version

Search
Совет: Советы по работе с curl - мощным инструментом для автоматизации web-запросов
SOFT - Unix Software catalog
LINKS - Unix resources
TOPIC - Articles from usenet
DOCUMENTATION - Unix guides
News | Tips | MAN | Forum | BUGs | LastSoft | Keywords | BOOKS (selected) | Linux HowTo | FAQ Archive

zero-width gif: exploit PoC for NS6.2.3 (fixed in 7.0) [Was: GIFs Good, Flash Executable Bad]


<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Date: Fri, 6 Sep 2002 18:47:51 +1200 (NZST)
From: zen-parse <zen-parse@gmx.net>
To: vuln-dev@securityfocus.com, full-disclosure@lists.netsys.com,
Subject: zero-width gif: exploit PoC for NS6.2.3 (fixed in 7.0) [Was: GIFs Good, Flash Executable Bad]

On Tue Sep 03 2002, Blue Boar wrote:
> This is one of my favorite vulnerabilities:
> http://online.securityfocus.com/bid/1503
> It's an overflow in the JPEG handler in Netscape.
> 
> I don't know of one for GIFs off the top of my head, but the same
> principle applies. If there's a viewer with a bug, then there is a
> possibility that it can be used to exploit the client.
> 
>                                                 BB

Zero width GIF file can cause exploitable heap corruption.
(Or: "Why not to use a graphical browser")

Vendor contacted:		17 Jul 2002
Internally patched:		19 Jul 2002 (according to changelog)
Received notification of patch: 29 Aug 2002 (via email)

http://crash.ihug.co.nz/~Sneuro/zerogif/

Contains an example exploit for malformed GIFs under Netscape 6.2.3
Also affects a number of other browsers, including Mozilla (of course) and 
manages to kill Opera.

Example exploit (when it works properly) should create ~/.mashrc with
a sample replacement for ~/.bashrc.

Certain values in 'generic.c' and possibly other files will need changing 
depending on library addresses.

Comments in pngshellcode.c are related to another exploit for Netscape 
6.2.3... once I found one way to get data into known locations, I kept it.

Certain utilities (pnmtopng and ppmtogif) called by these programs are in
the netpbm-progs package.

$ make pngshellcode; ./pngshellcode
$ make enc; ./enc >mapfile.ppm ; make generic; ./generic 

These commands will make the shellcode and the gif file.

This exploit is extremely "Proof of Concept" code. Sorry about the 
system() calls.

This issue is patched in Netscape 7.0 and latest version of Mozilla.

There are a few other exploitable issues patched in Netscape 6.2.3
relating to other image formats. 

I expect (hope for?) an advisory from Netscape at some point soon for this 
and the other patched issues. 

-- zen-parse

-- 
-------------------------------------------------------------------------
1) If this message was posted to a public forum by zen-parse@gmx.net, it 
may be redistributed without modification. 
2) In any other case the contents of this message is confidential and not 
to be distributed in any form without express permission from the author.
This document may contain Unclassified Controlled Nuclear Information.



<< Previous INDEX Search src Set bookmark Go to bookmark Next >>
Закладки
Добавить в закладки
Created 1996-2003 by Maxim Chirkov  
ДобавитьРекламаВебмастеруЦУПГИД  
SpyLOG TopList
RB2 Network. RB2 Network.