[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Netscape Navigator buffer overflow
From:       Michal Zalewski <lcamtuf () DIONE ! IDS ! PL>
Date:       2000-09-28 16:45:41
[Download RAW message or body]

Haven't seen bugreport on it, so I decided to publish this vulnerability.
In fact it's pretty old, but still unpublished: Netscape Navigator is
vulnerable to trivial, remote buffer overflow attack when viewing prepared
html:

<form action=something method=something>
<input type=password value=reallylongstring...>
...other form tags...
</form>

If buffer is reasonably long, Netscape crashes with SEGV while trying to
parse this tag (it happens around 16 kB of junk as value=) while calling
function XFE_GetFormElementInfo(). It is not a stack overflow, but, as
some pointers are overwritten, it seems to be exploitable. If someone has
free time and good will, could try - recall JPEG comment heap overflow.

Only type=password is vulnerable to this attack.

_______________________________________________________
Michal Zalewski [lcamtuf@tpi.pl] [tp.internet/security]
[http://lcamtuf.na.export.pl] <=--=> bash$ :(){ :|:&};:
=-----=> God is real, unless declared integer. <=-----=

[prev in list] [next in list] [prev in thread] [next in thread]